From 358e33146d8758b77194374ab68bb266f9d5045a Mon Sep 17 00:00:00 2001
From: Dennis Kugelmann <dennis.kugelmann@simpleclub.com>
Date: Thu, 30 Apr 2026 15:29:05 +0200
Subject: [PATCH 1/2] feat(@angular/build): emit debug ids for stable
 subresource integrity hashes

Enable generating sub-resource integrity hashes when using error tracking tools relying on Debug IDs linking generated code files with source maps.

Closes #33108
---
 .../application/execute-post-bundle.ts        |  9 ++
 .../builders/application/inject-debug-ids.ts  | 49 ++++++++++
 .../options/subresource-integrity_spec.ts     | 94 ++++++++++++++++++-
 packages/angular/build/src/utils/debug-id.ts  | 91 ++++++++++++++++++
 .../angular/build/src/utils/debug-id_spec.ts  | 90 ++++++++++++++++++
 5 files changed, 332 insertions(+), 1 deletion(-)
 create mode 100644 packages/angular/build/src/builders/application/inject-debug-ids.ts
 create mode 100644 packages/angular/build/src/utils/debug-id.ts
 create mode 100644 packages/angular/build/src/utils/debug-id_spec.ts

diff --git a/packages/angular/build/src/builders/application/execute-post-bundle.ts b/packages/angular/build/src/builders/application/execute-post-bundle.ts
index 5171ca254d5d..d7fcb15b8748 100644
--- a/packages/angular/build/src/builders/application/execute-post-bundle.ts
+++ b/packages/angular/build/src/builders/application/execute-post-bundle.ts
@@ -30,6 +30,7 @@ import {
 } from '../../utils/server-rendering/models';
 import { prerenderPages } from '../../utils/server-rendering/prerender';
 import { augmentAppWithServiceWorkerEsbuild } from '../../utils/service-worker';
+import { injectDebugIds } from './inject-debug-ids';
 import { INDEX_HTML_CSR, INDEX_HTML_SERVER, NormalizedApplicationBuildOptions } from './options';
 import { OutputMode } from './schema';
 
@@ -79,6 +80,14 @@ export async function executePostBundleSteps(
     partialSSRBuild,
   } = options;
 
+  // Embed ECMA-426 Debug IDs into JS/source-map pairs before any consumer reads the bytes (in
+  // particular `generateIndexHtml` below, which computes SRI hashes from the on-disk content).
+  // Doing this here also covers the i18n path, where this function is invoked once per locale
+  // with locale-specific output files. Files without a source map sibling are skipped.
+  if (sourcemapOptions.scripts) {
+    injectDebugIds(outputFiles);
+  }
+
   // Index HTML content without CSS inlining to be used for server rendering (AppShell, SSG and SSR).
   // NOTE: Critical CSS inlining is deliberately omitted here, as it will be handled during server rendering.
   // Additionally, when using prerendering or AppShell, the index HTML file may be regenerated.
diff --git a/packages/angular/build/src/builders/application/inject-debug-ids.ts b/packages/angular/build/src/builders/application/inject-debug-ids.ts
new file mode 100644
index 000000000000..8c6cf624c29b
--- /dev/null
+++ b/packages/angular/build/src/builders/application/inject-debug-ids.ts
@@ -0,0 +1,49 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+import { BuildOutputFile, BuildOutputFileType } from '../../tools/esbuild/bundler-context';
+import {
+  generateDebugId,
+  injectDebugIdIntoJs,
+  injectDebugIdIntoSourceMap,
+} from '../../utils/debug-id';
+
+/**
+ * Embeds an ECMA-426 Debug ID into every browser JavaScript output that has a
+ * matching source map sibling.
+ *
+ * The Debug ID is derived deterministically (UUIDv5) from the source map bytes
+ * so rebuilds of the same source produce the same ID. The JS file gets a
+ * `//# debugId=<uuid>` comment placed above any existing
+ * `//# sourceMappingURL=` line and the source map JSON gets a top-level
+ * `"debugId"` field. Together they make build artifacts self-identifying as
+ * proposed by https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md.
+ */
+export function injectDebugIds(outputFiles: BuildOutputFile[]): void {
+  const filesByPath = new Map<string, BuildOutputFile>();
+  for (const file of outputFiles) {
+    filesByPath.set(file.path, file);
+  }
+
+  const encoder = new TextEncoder();
+
+  for (const file of outputFiles) {
+    if (file.type !== BuildOutputFileType.Browser || !file.path.endsWith('.js')) {
+      continue;
+    }
+
+    const map = filesByPath.get(`${file.path}.map`);
+    if (!map) {
+      continue;
+    }
+
+    const id = generateDebugId(map.contents);
+    file.contents = encoder.encode(injectDebugIdIntoJs(file.text, id));
+    map.contents = encoder.encode(injectDebugIdIntoSourceMap(map.text, id));
+  }
+}
diff --git a/packages/angular/build/src/builders/application/tests/options/subresource-integrity_spec.ts b/packages/angular/build/src/builders/application/tests/options/subresource-integrity_spec.ts
index f3ec9476b21f..a369f5561385 100644
--- a/packages/angular/build/src/builders/application/tests/options/subresource-integrity_spec.ts
+++ b/packages/angular/build/src/builders/application/tests/options/subresource-integrity_spec.ts
@@ -6,8 +6,23 @@
  * found in the LICENSE file at https://angular.dev/license
  */
 
+import { getSystemPath } from '@angular-devkit/core';
+import { createHash } from 'node:crypto';
+import { readdirSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
 import { buildApplication } from '../../index';
-import { APPLICATION_BUILDER_INFO, BASE_OPTIONS, describeBuilder, expectNoLog } from '../setup';
+import {
+  APPLICATION_BUILDER_INFO,
+  BASE_OPTIONS,
+  describeBuilder,
+  expectNoLog,
+  host,
+} from '../setup';
+
+/** Resolve a path inside the harness workspace synchronously. */
+function workspacePath(...segments: string[]): string {
+  return join(getSystemPath(host.root()), ...segments);
+}
 
 describeBuilder(buildApplication, APPLICATION_BUILDER_INFO, (harness) => {
   describe('Option: "subresourceIntegrity"', () => {
@@ -65,5 +80,82 @@ describeBuilder(buildApplication, APPLICATION_BUILDER_INFO, (harness) => {
         .content.toMatch(/integrity="\w+-[A-Za-z0-9/+=]+"/);
       expectNoLog(logs, /subresource-integrity/);
     });
+
+    it(`embeds an ECMA-426 debugId in JS and source map and the integrity matches`, async () => {
+      harness.useTarget('build', {
+        ...BASE_OPTIONS,
+        subresourceIntegrity: true,
+        sourceMap: { scripts: true },
+      });
+
+      const { result } = await harness.executeOnce();
+      expect(result?.success).toBe(true);
+
+      const distDir = workspacePath('dist/browser');
+      const allEntries = readdirSync(distDir);
+      const jsFiles = allEntries.filter(
+        (f) => f.endsWith('.js') && allEntries.includes(`${f}.map`),
+      );
+      expect(jsFiles.length).toBeGreaterThan(0);
+
+      const debugIdRe = /^\s*\/\/\s*#\s*debugId=([0-9a-f-]+)\s*$/m;
+      const indexHtml = harness.readFile('dist/browser/index.html');
+      const importmapMatch = indexHtml.match(/<script type="importmap">([^<]+)<\/script>/);
+      const importmap = importmapMatch
+        ? (JSON.parse(importmapMatch[1]) as { integrity: Record<string, string> })
+        : { integrity: {} };
+
+      for (const file of jsFiles) {
+        const js = readFileSync(join(distDir, file), 'utf-8');
+        const map = JSON.parse(readFileSync(join(distDir, `${file}.map`), 'utf-8'));
+
+        const idMatch = js.match(debugIdRe);
+        expect(idMatch).withContext(`debugId comment in ${file}`).not.toBeNull();
+        const id = idMatch![1];
+
+        // ECMA-426: source map carries the same id under "debugId".
+        expect(map.debugId).withContext(`debugId field in ${file}.map`).toBe(id);
+
+        // Integrity hash recorded in index.html (initial) or in the importmap
+        // (lazy) must match the bytes written to disk *after* debug-id
+        // injection, otherwise SRI validation in the browser will fail.
+        const onDisk = readFileSync(join(distDir, file));
+        const expectedSri = `sha384-${createHash('sha384').update(onDisk).digest('base64')}`;
+        const escapedFile = file.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        const escapedSri = expectedSri.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        const inHeadIntegrity = new RegExp(
+          `(?:src|href)="${escapedFile}"[^>]*integrity="${escapedSri}"`,
+        );
+        const fromImportmap = importmap.integrity[`/${file}`];
+        expect(inHeadIntegrity.test(indexHtml) || fromImportmap === expectedSri)
+          .withContext(`integrity for ${file} must match on-disk bytes`)
+          .toBeTrue();
+      }
+    });
+
+    it(`places the debugId comment immediately above sourceMappingURL`, async () => {
+      harness.useTarget('build', {
+        ...BASE_OPTIONS,
+        sourceMap: { scripts: true },
+      });
+
+      const { result } = await harness.executeOnce();
+      expect(result?.success).toBe(true);
+
+      const distDir = workspacePath('dist/browser');
+      const allEntries = readdirSync(distDir);
+      const jsFiles = allEntries.filter(
+        (f) => f.endsWith('.js') && allEntries.includes(`${f}.map`),
+      );
+      expect(jsFiles.length).toBeGreaterThan(0);
+
+      const ordering = /\/\/\s*#\s*debugId=[0-9a-f-]+\s*\n\s*\/\/\s*#\s*sourceMappingURL=/;
+      for (const file of jsFiles) {
+        const js = readFileSync(join(distDir, file), 'utf-8');
+        expect(ordering.test(js))
+          .withContext(`debugId must precede sourceMappingURL in ${file}`)
+          .toBeTrue();
+      }
+    });
   });
 });
diff --git a/packages/angular/build/src/utils/debug-id.ts b/packages/angular/build/src/utils/debug-id.ts
new file mode 100644
index 000000000000..b08a9d63f564
--- /dev/null
+++ b/packages/angular/build/src/utils/debug-id.ts
@@ -0,0 +1,91 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+import { createHash } from 'node:crypto';
+
+/**
+ * Fixed RFC 4122 namespace UUID used to derive deterministic UUIDv5 build/Debug IDs.
+ * Treated as 16 raw bytes when fed into the SHA-1 of `namespace || name`.
+ *
+ * The exact value is arbitrary but must remain stable across releases so that
+ * the same source map content always yields the same Debug ID.
+ */
+const ANGULAR_BUILD_NAMESPACE = Buffer.from('6f9619ff8b86d011b42d00cf4fc964ff', 'hex');
+
+/**
+ * Generates a deterministic UUIDv5 (RFC 4122 §4.3) Debug ID from the given name bytes.
+ *
+ * Determinism is recommended by the ECMA-426 "Source Map Debug ID" proposal
+ * (https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md) so that the
+ * produced artifacts are stable across builds with the same source content.
+ *
+ * @param name Bytes that uniquely identify the artifact (typically the source map content).
+ * @returns A canonical UUIDv5 string (lowercase, hyphenated).
+ */
+export function generateDebugId(name: string | Uint8Array): string {
+  const sha = createHash('sha1').update(ANGULAR_BUILD_NAMESPACE).update(name).digest();
+
+  // Set version (5) in the high nibble of byte 6.
+  sha[6] = (sha[6] & 0x0f) | 0x50;
+  // Set RFC 4122 variant bits (10xx) in byte 8.
+  sha[8] = (sha[8] & 0x3f) | 0x80;
+
+  const h = sha.toString('hex');
+
+  return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
+}
+
+/** Pattern matching an existing `//# debugId=<uuid>` comment anywhere in the file. */
+const DEBUG_ID_COMMENT = /^[ \t]*\/\/[ \t]*#[ \t]*debugId=[^\n]*\n?/m;
+
+/** Pattern matching the `//# sourceMappingURL=` comment, used to position the debug-id line. */
+const SOURCE_MAPPING_URL_COMMENT = /^[ \t]*\/\/[ \t]*#[ \t]*sourceMappingURL=[^\n]*$/m;
+
+/**
+ * Inserts (or replaces) a `//# debugId=<id>` comment in the given JavaScript text.
+ *
+ * Per ECMA-426, the comment must appear within the last 5 lines and SHOULD be
+ * placed immediately above any `//# sourceMappingURL=` comment so that existing
+ * tools that only consult the final line still find the source-map URL.
+ */
+export function injectDebugIdIntoJs(text: string, id: string): string {
+  const comment = `//# debugId=${id}`;
+
+  // Replace any existing debugId comment to keep the operation idempotent.
+  if (DEBUG_ID_COMMENT.test(text)) {
+    return text.replace(DEBUG_ID_COMMENT, `${comment}\n`);
+  }
+
+  if (SOURCE_MAPPING_URL_COMMENT.test(text)) {
+    return text.replace(SOURCE_MAPPING_URL_COMMENT, (match) => `${comment}\n${match}`);
+  }
+
+  // No source map reference; append at the very end on its own line.
+  return text.endsWith('\n') ? `${text}${comment}\n` : `${text}\n${comment}\n`;
+}
+
+/**
+ * Sets the top-level `debugId` field on a JSON source map.
+ *
+ * Per ECMA-426, source maps embed the same Debug ID under a `debugId` key so
+ * that consumers can pair a generated file with its source map without relying
+ * on URL/path conventions.
+ */
+export function injectDebugIdIntoSourceMap(json: string, id: string): string {
+  let parsed: Record<string, unknown>;
+  try {
+    parsed = JSON.parse(json) as Record<string, unknown>;
+  } catch {
+    // Source map is malformed; do not corrupt it further.
+    return json;
+  }
+
+  parsed['debugId'] = id;
+
+  return JSON.stringify(parsed);
+}
diff --git a/packages/angular/build/src/utils/debug-id_spec.ts b/packages/angular/build/src/utils/debug-id_spec.ts
new file mode 100644
index 000000000000..532e63d05bd6
--- /dev/null
+++ b/packages/angular/build/src/utils/debug-id_spec.ts
@@ -0,0 +1,90 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+import {
+  generateDebugId,
+  injectDebugIdIntoJs,
+  injectDebugIdIntoSourceMap,
+} from './debug-id';
+
+const UUID = /^[0-9a-f]{8}-[0-9a-f]{4}-5[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/;
+
+describe('debug-id', () => {
+  describe('generateDebugId', () => {
+    it('produces a canonical UUIDv5 string', () => {
+      expect(generateDebugId('hello')).toMatch(UUID);
+      expect(generateDebugId(new TextEncoder().encode('hello'))).toMatch(
+        UUID,
+      );
+    });
+
+    it('is deterministic for identical inputs', () => {
+      expect(generateDebugId('same content')).toBe(generateDebugId('same content'));
+    });
+
+    it('differs for different inputs', () => {
+      expect(generateDebugId('one')).not.toBe(generateDebugId('two'));
+    });
+  });
+
+  describe('injectDebugIdIntoJs', () => {
+    const id = '11111111-2222-5333-9444-555555555555';
+
+    it('inserts the debugId comment immediately above sourceMappingURL', () => {
+      const text = 'console.log(1);\n//# sourceMappingURL=foo.js.map\n';
+      const result = injectDebugIdIntoJs(text, id);
+      expect(result).toBe(
+        'console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n//# sourceMappingURL=foo.js.map\n',
+      );
+    });
+
+    it('appends the comment when no sourceMappingURL is present', () => {
+      const text = 'console.log(1);\n';
+      const result = injectDebugIdIntoJs(text, id);
+      expect(result).toBe('console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n');
+    });
+
+    it('appends a leading newline when input does not end with one', () => {
+      const text = 'console.log(1);';
+      const result = injectDebugIdIntoJs(text, id);
+      expect(result).toBe('console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n');
+    });
+
+    it('replaces an existing debugId comment (idempotent)', () => {
+      const original = 'console.log(1);\n//# debugId=00000000-0000-5000-8000-000000000000\n//# sourceMappingURL=foo.js.map\n';
+      const result = injectDebugIdIntoJs(original, id);
+      expect(result).toBe(
+        'console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n//# sourceMappingURL=foo.js.map\n',
+      );
+      // Re-running with the same id is a no-op.
+      expect(injectDebugIdIntoJs(result, id)).toBe(result);
+    });
+  });
+
+  describe('injectDebugIdIntoSourceMap', () => {
+    const id = '11111111-2222-5333-9444-555555555555';
+
+    it('adds a top-level debugId field', () => {
+      const map = JSON.stringify({ version: 3, sources: ['a.ts'], mappings: '' });
+      const updated = JSON.parse(injectDebugIdIntoSourceMap(map, id));
+      expect(updated.debugId).toBe(id);
+      expect(updated.version).toBe(3);
+    });
+
+    it('overwrites an existing debugId field', () => {
+      const map = JSON.stringify({ version: 3, debugId: 'old', mappings: '' });
+      const updated = JSON.parse(injectDebugIdIntoSourceMap(map, id));
+      expect(updated.debugId).toBe(id);
+    });
+
+    it('returns the original input when JSON is malformed', () => {
+      const malformed = '{ this is not json';
+      expect(injectDebugIdIntoSourceMap(malformed, id)).toBe(malformed);
+    });
+  });
+});

From 0720a2f6c16461dbe27f3e495100050e07ff9b25 Mon Sep 17 00:00:00 2001
From: Dennis Kugelmann <dennis.kugelmann@simpleclub.com>
Date: Thu, 30 Apr 2026 17:38:44 +0200
Subject: [PATCH 2/2] fix: persist formatting of source map JSON

---
 .idea/copilotDiffState.xml                    | 27 +++++++++++++++++++
 packages/angular/build/src/utils/debug-id.ts  |  9 ++++++-
 .../angular/build/src/utils/debug-id_spec.ts  | 12 +++++++++
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 .idea/copilotDiffState.xml

diff --git a/.idea/copilotDiffState.xml b/.idea/copilotDiffState.xml
new file mode 100644
index 000000000000..4dbcb4efe03e
--- /dev/null
+++ b/.idea/copilotDiffState.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="CopilotDiffPersistence">
+    <option name="pendingDiffs">
+      <map>
+        <entry key="$PROJECT_DIR$/packages/angular/build/src/utils/debug-id.ts">
+          <value>
+            <PendingDiffInfo>
+              <option name="filePath" value="$PROJECT_DIR$/packages/angular/build/src/utils/debug-id.ts" />
+              <option name="originalContent" value="/**&#10; * @license&#10; * Copyright Google LLC All Rights Reserved.&#10; *&#10; * Use of this source code is governed by an MIT-style license that can be&#10; * found in the LICENSE file at https://angular.dev/license&#10; */&#10;&#10;import { createHash } from 'node:crypto';&#10;&#10;/**&#10; * Fixed RFC 4122 namespace UUID used to derive deterministic UUIDv5 build/Debug IDs.&#10; * Treated as 16 raw bytes when fed into the SHA-1 of `namespace || name`.&#10; *&#10; * The exact value is arbitrary but must remain stable across releases so that&#10; * the same source map content always yields the same Debug ID.&#10; */&#10;const ANGULAR_BUILD_NAMESPACE = Buffer.from('6f9619ff8b86d011b42d00cf4fc964ff', 'hex');&#10;&#10;/**&#10; * Generates a deterministic UUIDv5 (RFC 4122 §4.3) Debug ID from the given name bytes.&#10; *&#10; * Determinism is recommended by the ECMA-426 &quot;Source Map Debug ID&quot; proposal&#10; * (https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md) so that the&#10; * produced artifacts are stable across builds with the same source content.&#10; *&#10; * @param name Bytes that uniquely identify the artifact (typically the source map content).&#10; * @returns A canonical UUIDv5 string (lowercase, hyphenated).&#10; */&#10;export function generateDebugId(name: string | Uint8Array): string {&#10;  const sha = createHash('sha1').update(ANGULAR_BUILD_NAMESPACE).update(name).digest();&#10;&#10;  // Set version (5) in the high nibble of byte 6.&#10;  sha[6] = (sha[6] &amp; 0x0f) | 0x50;&#10;  // Set RFC 4122 variant bits (10xx) in byte 8.&#10;  sha[8] = (sha[8] &amp; 0x3f) | 0x80;&#10;&#10;  const h = sha.toString('hex');&#10;&#10;  return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;&#10;}&#10;&#10;/** Pattern matching an existing `//# debugId=&lt;uuid&gt;` comment anywhere in the file. */&#10;const DEBUG_ID_COMMENT = /^[ \t]*\/\/[ \t]*#[ \t]*debugId=[^\n]*\n?/m;&#10;&#10;/** Pattern matching the `//# sourceMappingURL=` comment, used to position the debug-id line. */&#10;const SOURCE_MAPPING_URL_COMMENT = /^[ \t]*\/\/[ \t]*#[ \t]*sourceMappingURL=[^\n]*$/m;&#10;&#10;/**&#10; * Inserts (or replaces) a `//# debugId=&lt;id&gt;` comment in the given JavaScript text.&#10; *&#10; * Per ECMA-426, the comment must appear within the last 5 lines and SHOULD be&#10; * placed immediately above any `//# sourceMappingURL=` comment so that existing&#10; * tools that only consult the final line still find the source-map URL.&#10; */&#10;export function injectDebugIdIntoJs(text: string, id: string): string {&#10;  const comment = `//# debugId=${id}`;&#10;&#10;  // Replace any existing debugId comment to keep the operation idempotent.&#10;  if (DEBUG_ID_COMMENT.test(text)) {&#10;    return text.replace(DEBUG_ID_COMMENT, `${comment}\n`);&#10;  }&#10;&#10;  if (SOURCE_MAPPING_URL_COMMENT.test(text)) {&#10;    return text.replace(SOURCE_MAPPING_URL_COMMENT, (match) =&gt; `${comment}\n${match}`);&#10;  }&#10;&#10;  // No source map reference; append at the very end on its own line.&#10;  return text.endsWith('\n') ? `${text}${comment}\n` : `${text}\n${comment}\n`;&#10;}&#10;&#10;/**&#10; * Sets the top-level `debugId` field on a JSON source map.&#10; *&#10; * Per ECMA-426, source maps embed the same Debug ID under a `debugId` key so&#10; * that consumers can pair a generated file with its source map without relying&#10; * on URL/path conventions.&#10; */&#10;export function injectDebugIdIntoSourceMap(json: string, id: string): string {&#10;  let parsed: Record&lt;string, unknown&gt;;&#10;  try {&#10;    parsed = JSON.parse(json) as Record&lt;string, unknown&gt;;&#10;  } catch {&#10;    // Source map is malformed; do not corrupt it further.&#10;    return json;&#10;  }&#10;&#10;  parsed['debugId'] = id;&#10;&#10;  return JSON.stringify(parsed);&#10;}&#10;" />
+              <option name="updatedContent" value="/**&#10; * @license&#10; * Copyright Google LLC All Rights Reserved.&#10; *&#10; * Use of this source code is governed by an MIT-style license that can be&#10; * found in the LICENSE file at https://angular.dev/license&#10; */&#10;&#10;import { createHash } from 'node:crypto';&#10;&#10;/**&#10; * Fixed RFC 4122 namespace UUID used to derive deterministic UUIDv5 build/Debug IDs.&#10; * Treated as 16 raw bytes when fed into the SHA-1 of `namespace || name`.&#10; *&#10; * The exact value is arbitrary but must remain stable across releases so that&#10; * the same source map content always yields the same Debug ID.&#10; */&#10;const ANGULAR_BUILD_NAMESPACE = Buffer.from('6f9619ff8b86d011b42d00cf4fc964ff', 'hex');&#10;&#10;/**&#10; * Generates a deterministic UUIDv5 (RFC 4122 §4.3) Debug ID from the given name bytes.&#10; *&#10; * Determinism is recommended by the ECMA-426 &quot;Source Map Debug ID&quot; proposal&#10; * (https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md) so that the&#10; * produced artifacts are stable across builds with the same source content.&#10; *&#10; * @param name Bytes that uniquely identify the artifact (typically the source map content).&#10; * @returns A canonical UUIDv5 string (lowercase, hyphenated).&#10; */&#10;export function generateDebugId(name: string | Uint8Array): string {&#10;  const sha = createHash('sha1').update(ANGULAR_BUILD_NAMESPACE).update(name).digest();&#10;&#10;  // Set version (5) in the high nibble of byte 6.&#10;  sha[6] = (sha[6] &amp; 0x0f) | 0x50;&#10;  // Set RFC 4122 variant bits (10xx) in byte 8.&#10;  sha[8] = (sha[8] &amp; 0x3f) | 0x80;&#10;&#10;  const h = sha.toString('hex');&#10;&#10;  return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;&#10;}&#10;&#10;/** Pattern matching an existing `//# debugId=&lt;uuid&gt;` comment anywhere in the file. */&#10;const DEBUG_ID_COMMENT = /^[ \t]*\/\/[ \t]*#[ \t]*debugId=[^\n]*\n?/m;&#10;&#10;/** Pattern matching the `//# sourceMappingURL=` comment, used to position the debug-id line. */&#10;const SOURCE_MAPPING_URL_COMMENT = /^[ \t]*\/\/[ \t]*#[ \t]*sourceMappingURL=[^\n]*$/m;&#10;&#10;/**&#10; * Inserts (or replaces) a `//# debugId=&lt;id&gt;` comment in the given JavaScript text.&#10; *&#10; * Per ECMA-426, the comment must appear within the last 5 lines and SHOULD be&#10; * placed immediately above any `//# sourceMappingURL=` comment so that existing&#10; * tools that only consult the final line still find the source-map URL.&#10; */&#10;export function injectDebugIdIntoJs(text: string, id: string): string {&#10;  const comment = `//# debugId=${id}`;&#10;&#10;  // Replace any existing debugId comment to keep the operation idempotent.&#10;  if (DEBUG_ID_COMMENT.test(text)) {&#10;    return text.replace(DEBUG_ID_COMMENT, `${comment}\n`);&#10;  }&#10;&#10;  if (SOURCE_MAPPING_URL_COMMENT.test(text)) {&#10;    return text.replace(SOURCE_MAPPING_URL_COMMENT, (match) =&gt; `${comment}\n${match}`);&#10;  }&#10;&#10;  // No source map reference; append at the very end on its own line.&#10;  return text.endsWith('\n') ? `${text}${comment}\n` : `${text}\n${comment}\n`;&#10;}&#10;&#10;/**&#10; * Sets the top-level `debugId` field on a JSON source map.&#10; *&#10; * Per ECMA-426, source maps embed the same Debug ID under a `debugId` key so&#10; * that consumers can pair a generated file with its source map without relying&#10; * on URL/path conventions.&#10; */&#10;export function injectDebugIdIntoSourceMap(json: string, id: string): string {&#10;  let parsed: Record&lt;string, unknown&gt;;&#10;  try {&#10;    parsed = JSON.parse(json) as Record&lt;string, unknown&gt;;&#10;  } catch {&#10;    // Source map is malformed; do not corrupt it further.&#10;    return json;&#10;  }&#10;&#10;  if (parsed['debugId'] === id) {&#10;    return json;&#10;  }&#10;&#10;  parsed['debugId'] = id;&#10;&#10;  // Preserve existing pretty-print indentation when the source map is formatted.&#10;  const indent = json.match(/^[^{]*{\r?\n([ \t]+)/)?.[1];&#10;&#10;  return JSON.stringify(parsed, null, indent);&#10;}&#10;" />
+            </PendingDiffInfo>
+          </value>
+        </entry>
+        <entry key="$PROJECT_DIR$/packages/angular/build/src/utils/debug-id_spec.ts">
+          <value>
+            <PendingDiffInfo>
+              <option name="filePath" value="$PROJECT_DIR$/packages/angular/build/src/utils/debug-id_spec.ts" />
+              <option name="originalContent" value="/**&#10; * @license&#10; * Copyright Google LLC All Rights Reserved.&#10; *&#10; * Use of this source code is governed by an MIT-style license that can be&#10; * found in the LICENSE file at https://angular.dev/license&#10; */&#10;&#10;import {&#10;  generateDebugId,&#10;  injectDebugIdIntoJs,&#10;  injectDebugIdIntoSourceMap,&#10;} from './debug-id';&#10;&#10;const UUID = /^[0-9a-f]{8}-[0-9a-f]{4}-5[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/;&#10;&#10;describe('debug-id', () =&gt; {&#10;  describe('generateDebugId', () =&gt; {&#10;    it('produces a canonical UUIDv5 string', () =&gt; {&#10;      expect(generateDebugId('hello')).toMatch(UUID);&#10;      expect(generateDebugId(new TextEncoder().encode('hello'))).toMatch(&#10;        UUID,&#10;      );&#10;    });&#10;&#10;    it('is deterministic for identical inputs', () =&gt; {&#10;      expect(generateDebugId('same content')).toBe(generateDebugId('same content'));&#10;    });&#10;&#10;    it('differs for different inputs', () =&gt; {&#10;      expect(generateDebugId('one')).not.toBe(generateDebugId('two'));&#10;    });&#10;  });&#10;&#10;  describe('injectDebugIdIntoJs', () =&gt; {&#10;    const id = '11111111-2222-5333-9444-555555555555';&#10;&#10;    it('inserts the debugId comment immediately above sourceMappingURL', () =&gt; {&#10;      const text = 'console.log(1);\n//# sourceMappingURL=foo.js.map\n';&#10;      const result = injectDebugIdIntoJs(text, id);&#10;      expect(result).toBe(&#10;        'console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n//# sourceMappingURL=foo.js.map\n',&#10;      );&#10;    });&#10;&#10;    it('appends the comment when no sourceMappingURL is present', () =&gt; {&#10;      const text = 'console.log(1);\n';&#10;      const result = injectDebugIdIntoJs(text, id);&#10;      expect(result).toBe('console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n');&#10;    });&#10;&#10;    it('appends a leading newline when input does not end with one', () =&gt; {&#10;      const text = 'console.log(1);';&#10;      const result = injectDebugIdIntoJs(text, id);&#10;      expect(result).toBe('console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n');&#10;    });&#10;&#10;    it('replaces an existing debugId comment (idempotent)', () =&gt; {&#10;      const original = 'console.log(1);\n//# debugId=00000000-0000-5000-8000-000000000000\n//# sourceMappingURL=foo.js.map\n';&#10;      const result = injectDebugIdIntoJs(original, id);&#10;      expect(result).toBe(&#10;        'console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n//# sourceMappingURL=foo.js.map\n',&#10;      );&#10;      // Re-running with the same id is a no-op.&#10;      expect(injectDebugIdIntoJs(result, id)).toBe(result);&#10;    });&#10;  });&#10;&#10;  describe('injectDebugIdIntoSourceMap', () =&gt; {&#10;    const id = '11111111-2222-5333-9444-555555555555';&#10;&#10;    it('adds a top-level debugId field', () =&gt; {&#10;      const map = JSON.stringify({ version: 3, sources: ['a.ts'], mappings: '' });&#10;      const updated = JSON.parse(injectDebugIdIntoSourceMap(map, id));&#10;      expect(updated.debugId).toBe(id);&#10;      expect(updated.version).toBe(3);&#10;    });&#10;&#10;    it('overwrites an existing debugId field', () =&gt; {&#10;      const map = JSON.stringify({ version: 3, debugId: 'old', mappings: '' });&#10;      const updated = JSON.parse(injectDebugIdIntoSourceMap(map, id));&#10;      expect(updated.debugId).toBe(id);&#10;    });&#10;&#10;    it('returns the original input when JSON is malformed', () =&gt; {&#10;      const malformed = '{ this is not json';&#10;      expect(injectDebugIdIntoSourceMap(malformed, id)).toBe(malformed);&#10;    });&#10;  });&#10;});&#10;" />
+              <option name="updatedContent" value="/**&#10; * @license&#10; * Copyright Google LLC All Rights Reserved.&#10; *&#10; * Use of this source code is governed by an MIT-style license that can be&#10; * found in the LICENSE file at https://angular.dev/license&#10; */&#10;&#10;import {&#10;  generateDebugId,&#10;  injectDebugIdIntoJs,&#10;  injectDebugIdIntoSourceMap,&#10;} from './debug-id';&#10;&#10;const UUID = /^[0-9a-f]{8}-[0-9a-f]{4}-5[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/;&#10;&#10;describe('debug-id', () =&gt; {&#10;  describe('generateDebugId', () =&gt; {&#10;    it('produces a canonical UUIDv5 string', () =&gt; {&#10;      expect(generateDebugId('hello')).toMatch(UUID);&#10;      expect(generateDebugId(new TextEncoder().encode('hello'))).toMatch(&#10;        UUID,&#10;      );&#10;    });&#10;&#10;    it('is deterministic for identical inputs', () =&gt; {&#10;      expect(generateDebugId('same content')).toBe(generateDebugId('same content'));&#10;    });&#10;&#10;    it('differs for different inputs', () =&gt; {&#10;      expect(generateDebugId('one')).not.toBe(generateDebugId('two'));&#10;    });&#10;  });&#10;&#10;  describe('injectDebugIdIntoJs', () =&gt; {&#10;    const id = '11111111-2222-5333-9444-555555555555';&#10;&#10;    it('inserts the debugId comment immediately above sourceMappingURL', () =&gt; {&#10;      const text = 'console.log(1);\n//# sourceMappingURL=foo.js.map\n';&#10;      const result = injectDebugIdIntoJs(text, id);&#10;      expect(result).toBe(&#10;        'console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n//# sourceMappingURL=foo.js.map\n',&#10;      );&#10;    });&#10;&#10;    it('appends the comment when no sourceMappingURL is present', () =&gt; {&#10;      const text = 'console.log(1);\n';&#10;      const result = injectDebugIdIntoJs(text, id);&#10;      expect(result).toBe('console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n');&#10;    });&#10;&#10;    it('appends a leading newline when input does not end with one', () =&gt; {&#10;      const text = 'console.log(1);';&#10;      const result = injectDebugIdIntoJs(text, id);&#10;      expect(result).toBe('console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n');&#10;    });&#10;&#10;    it('replaces an existing debugId comment (idempotent)', () =&gt; {&#10;      const original = 'console.log(1);\n//# debugId=00000000-0000-5000-8000-000000000000\n//# sourceMappingURL=foo.js.map\n';&#10;      const result = injectDebugIdIntoJs(original, id);&#10;      expect(result).toBe(&#10;        'console.log(1);\n//# debugId=11111111-2222-5333-9444-555555555555\n//# sourceMappingURL=foo.js.map\n',&#10;      );&#10;      // Re-running with the same id is a no-op.&#10;      expect(injectDebugIdIntoJs(result, id)).toBe(result);&#10;    });&#10;  });&#10;&#10;  describe('injectDebugIdIntoSourceMap', () =&gt; {&#10;    const id = '11111111-2222-5333-9444-555555555555';&#10;&#10;    it('adds a top-level debugId field', () =&gt; {&#10;      const map = JSON.stringify({ version: 3, sources: ['a.ts'], mappings: '' });&#10;      const updated = JSON.parse(injectDebugIdIntoSourceMap(map, id));&#10;      expect(updated.debugId).toBe(id);&#10;      expect(updated.version).toBe(3);&#10;    });&#10;&#10;    it('overwrites an existing debugId field', () =&gt; {&#10;      const map = JSON.stringify({ version: 3, debugId: 'old', mappings: '' });&#10;      const updated = JSON.parse(injectDebugIdIntoSourceMap(map, id));&#10;      expect(updated.debugId).toBe(id);&#10;    });&#10;&#10;    it('returns the original input when debugId already matches', () =&gt; {&#10;      const map = '{\n  &quot;version&quot;: 3,\n  &quot;debugId&quot;: &quot;11111111-2222-5333-9444-555555555555&quot;,\n  &quot;mappings&quot;: &quot;&quot;\n}';&#10;      expect(injectDebugIdIntoSourceMap(map, id)).toBe(map);&#10;    });&#10;&#10;    it('preserves indentation when updating a pretty-printed source map', () =&gt; {&#10;      const map = '{\n\t&quot;version&quot;: 3,\n\t&quot;mappings&quot;: &quot;&quot;\n}';&#10;      expect(injectDebugIdIntoSourceMap(map, id)).toBe(&#10;        '{\n\t&quot;version&quot;: 3,\n\t&quot;mappings&quot;: &quot;&quot;,\n\t&quot;debugId&quot;: &quot;11111111-2222-5333-9444-555555555555&quot;\n}',&#10;      );&#10;    });&#10;&#10;    it('returns the original input when JSON is malformed', () =&gt; {&#10;      const malformed = '{ this is not json';&#10;      expect(injectDebugIdIntoSourceMap(malformed, id)).toBe(malformed);&#10;    });&#10;  });&#10;});&#10;" />
+            </PendingDiffInfo>
+          </value>
+        </entry>
+      </map>
+    </option>
+  </component>
+</project>
\ No newline at end of file
diff --git a/packages/angular/build/src/utils/debug-id.ts b/packages/angular/build/src/utils/debug-id.ts
index b08a9d63f564..5bf6e44e4f53 100644
--- a/packages/angular/build/src/utils/debug-id.ts
+++ b/packages/angular/build/src/utils/debug-id.ts
@@ -85,7 +85,14 @@ export function injectDebugIdIntoSourceMap(json: string, id: string): string {
     return json;
   }
 
+  if (parsed['debugId'] === id) {
+    return json;
+  }
+
   parsed['debugId'] = id;
 
-  return JSON.stringify(parsed);
+  // Preserve existing pretty-print indentation when the source map is formatted.
+  const indent = json.match(/^[^{]*{\r?\n([ \t]+)/)?.[1];
+
+  return JSON.stringify(parsed, null, indent);
 }
diff --git a/packages/angular/build/src/utils/debug-id_spec.ts b/packages/angular/build/src/utils/debug-id_spec.ts
index 532e63d05bd6..d8b7156c4c50 100644
--- a/packages/angular/build/src/utils/debug-id_spec.ts
+++ b/packages/angular/build/src/utils/debug-id_spec.ts
@@ -82,6 +82,18 @@ describe('debug-id', () => {
       expect(updated.debugId).toBe(id);
     });
 
+    it('returns the original input when debugId already matches', () => {
+      const map = '{\n  "version": 3,\n  "debugId": "11111111-2222-5333-9444-555555555555",\n  "mappings": ""\n}';
+      expect(injectDebugIdIntoSourceMap(map, id)).toBe(map);
+    });
+
+    it('preserves indentation when updating a pretty-printed source map', () => {
+      const map = '{\n\t"version": 3,\n\t"mappings": ""\n}';
+      expect(injectDebugIdIntoSourceMap(map, id)).toBe(
+        '{\n\t"version": 3,\n\t"mappings": "",\n\t"debugId": "11111111-2222-5333-9444-555555555555"\n}',
+      );
+    });
+
     it('returns the original input when JSON is malformed', () => {
       const malformed = '{ this is not json';
       expect(injectDebugIdIntoSourceMap(malformed, id)).toBe(malformed);