feat(avatar-cache): cache author avatar bytes to bypass Brave Shields

Brave's Shields bypasses HTTP caching for cross-origin requests from
extension pages, so <img> tags pointing at avatars.githubusercontent.com
re-download on every popup open. Cache the decoded bytes as base64 data
URLs in chrome.storage.local so popups render with no network and no
flicker.

Design:
- Single writer (background), popup is read-only via loadSnapshot()
- Freshness: URL match + 7d TTL + If-Modified-Since revalidation
- LRU eviction bounded by both entry count (100) and total bytes (5 MB)
- Generation counter gates cross-account logout/re-login races
- Concurrency capped at 5 in-flight fetches

Bumps minimum_chrome_version to 114 so the 5 MB avatar cap fits within
storage.local's 10 MB quota (Chrome <114 was 5 MB total).

Author: euxx

manifest-firefox.json

@@ -4,7 +4,11 @@
   "version": "1.3.1",
   "description": "GitHub notifications in the browser toolbar",
   "permissions": ["alarms", "storage", "notifications"],
-  "host_permissions": ["https://api.github.com/*", "https://github.com/*"],
+  "host_permissions": [
+    "https://api.github.com/*",
+    "https://github.com/*",
+    "https://avatars.githubusercontent.com/*"
+  ],
   "content_security_policy": {
     "extension_pages": "script-src 'self'; object-src 'self'"
   },

manifest.json

@@ -3,9 +3,13 @@
   "name": "GitHub Notifier Pro",
   "version": "1.3.1",
   "description": "GitHub notifications in the browser toolbar",
-  "minimum_chrome_version": "99",
+  "minimum_chrome_version": "114",
   "permissions": ["alarms", "storage", "notifications"],
-  "host_permissions": ["https://api.github.com/*", "https://github.com/*"],
+  "host_permissions": [
+    "https://api.github.com/*",
+    "https://github.com/*",
+    "https://avatars.githubusercontent.com/*"
+  ],
   "content_security_policy": {
     "extension_pages": "script-src 'self'; object-src 'self'"
   },

src/background/notification-fetcher.js

@@ -28,6 +28,7 @@ import {
 } from "../lib/constants.js";
 import { LRUCache, DEFAULT_LRU_CACHE_SIZE } from "../lib/lru-cache.js";
 import { applyRulesWithStats, isVisible } from "../lib/filter-rules.js";
+import { ensureAvatarsCached } from "../lib/avatar-cache.js";
 import { showDesktopNotificationsForNew } from "./desktop-notifications.js";
 
 const SESSION_KEY_COMMENT_CACHE = "latestCommentUrlCache";
@@ -209,6 +210,19 @@ export function createNotificationFetcher(deps) {
     }
   }
 
+  // ─── Avatar bytes warmup ──────────────────────────────────────────────
+  // Fire-and-forget — the avatar-cache module skips entries within its TTL,
+  // deduplicates by login, and bounds concurrency internally.
+  function warmAuthorAvatars(notifications) {
+    const authors = [];
+    for (const n of notifications) {
+      if (n?.author?.login && n.author.avatar_url) authors.push(n.author);
+    }
+    if (authors.length > 0) {
+      ensureAvatarsCached(authors).catch(() => {});
+    }
+  }
+
   // ─── Detail fetch helpers ─────────────────────────────────────────────
   async function fetchWithConcurrencyLimit(tasks, limit = 5) {
     const results = [];
@@ -461,6 +475,7 @@ export function createNotificationFetcher(deps) {
         console.log(
           `Fetch #${currentFetchVersion} saved ${priorityNotifications.length} priority notifications`,
         );
+        warmAuthorAvatars(detailedNotifications);
       }
     }
 
@@ -502,6 +517,7 @@ export function createNotificationFetcher(deps) {
             console.log(
               `Fetch #${currentFetchVersion} updated storage with detailed notifications`,
             );
+            warmAuthorAvatars(detailedNotifications);
             prefetchLatestCommentUrls(detailedNotifications).catch((error) => {
               console.error("Error prefetching latest comment URLs:", error);
             });

src/background/service-worker.js

@@ -13,6 +13,7 @@ import {
 } from "../lib/constants.js";
 import { classifyError } from "../lib/http.js";
 import { buildNotificationUrl } from "../lib/url-builder.js";
+import { ensureAvatarsCached, setActive as setAvatarCacheActive } from "../lib/avatar-cache.js";
 import {
   applyRulesWithStats,
   isVisible,
@@ -121,6 +122,7 @@ async function doInitialize() {
   const token = await storage.getToken();
   if (token) {
     github.token = token;
+    setAvatarCacheActive(true);
     const username = await storage.getUsername();
     if (username) {
       github.username = username;
@@ -131,9 +133,30 @@ async function doInitialize() {
     // recycling). No-op on Firefox or when session storage has no saved data.
     await fetcher.restoreCommentCache();
 
+    // Warm the avatar data-URL cache for the signed-in user and any
+    // notification authors already on disk. Fire-and-forget; the cache
+    // module skips entries that are still TTL-fresh. Covers the case
+    // where notifications survived a SW restart but the avatar cache
+    // was evicted/cleared — runFetch only warms when detail fetches
+    // run, so steady state with no updated_at changes would otherwise
+    // leave authors uncached.
+    Promise.all([storage.getUserInfo(), storage.getNotifications()])
+      .then(([userInfo, notifs]) => {
+        const people = [];
+        if (userInfo) people.push({ login: userInfo.login, avatar_url: userInfo.avatar_url });
+        for (const n of notifs || []) {
+          if (n?.author) people.push(n.author);
+        }
+        return ensureAvatarsCached(people);
+      })
+      .catch((err) => {
+        console.warn("Avatar cache warmup failed", err);
+      });
+
     await startPolling();
     await checkNotifications();
   } else {
+    setAvatarCacheActive(false);
     fetcher.resetHasMore();
     await updateBadge(null);
   }
@@ -413,6 +436,16 @@ async function handleLogin(authMethod = "oauth", token = null) {
     await storage.setUserInfo(github.userInfo);
     await storage.setAuthMethod(authMethod);
 
+    setAvatarCacheActive(true);
+    // Warm the avatar data-URL cache so the popup never has to refetch the
+    // image — Brave's Shields bypass HTTP caching for cross-origin requests
+    // and would otherwise reload the avatar on every popup open.
+    ensureAvatarsCached([
+      { login: github.userInfo?.login, avatar_url: github.userInfo?.avatar_url },
+    ]).catch((err) => {
+      console.warn("Avatar cache warmup failed", err);
+    });
+
     await startPolling();
     await checkNotifications();
 
@@ -426,6 +459,11 @@ async function handleLogin(authMethod = "oauth", token = null) {
 }
 
 async function handleLogout() {
+  // Gate the avatar cache BEFORE clearing storage. clearAuthData() bypasses
+  // the avatar-cache writeQueue, so a later ensureAvatarsCached() — queued
+  // from an in-flight runFetch — would otherwise repopulate the cache with
+  // the previous user's avatars after the wipe.
+  setAvatarCacheActive(false);
   github.logout();
   fetcher.resetHasMore();
   await fetcher.clearCommentCache();