fix: invalidate repo filter cache when GitHub token auth state changes

[Nsanjayboruds]

📌 Fixes

Fixes #493

---

📝 Summary of Changes

• Added token-aware repository cache keys for GitHub repo filtering in popup flows.
• Updated repo cache key generation to include auth state marker (auth / noauth) so cache is not reused across unauthenticated and authenticated sessions.
• Added cache invalidation when GitHub token auth mode changes (empty <-> non-empty), forcing fresh repository fetch.
• Updated internal repo-cache key in scrum generation path to include auth state for consistency.
• Updated Biome schema in biome.json to match installed CLI version (2.4.9) and formatted affected files to pass checks.

Files touched:

• src/scripts/popup.js
• src/scripts/scrumHelper.js
• src/scripts/gitlabHelper.js (format only)
• biome.json

✅ Checklist

• I’ve tested my changes locally
• I’ve added tests (if applicable)
• I’ve updated documentation (if applicable)
• My code follows the project’s code style guidelines

---

👀 Reviewer Notes

• Main bug fixed: repository filter could serve stale unauthenticated cached repos after user adds GitHub token.
• Token auth-state transitions now invalidate repo cache and generate distinct cache keys.
• Validation run:
  • npm install
  • npm run check (passes)
• src/scripts/gitlabHelper.js was auto-formatted to satisfy repository-wide Biome checks; no logic change intended there.

Summary by Sourcery

Ensure GitHub repository filtering cache respects authentication state and is invalidated when the GitHub token changes.

Bug Fixes:

• Prevent stale unauthenticated GitHub repository lists from being reused after a user adds or removes a GitHub token by incorporating auth state into repo cache keys.
• Fix scrum generation repo cache reuse across different GitHub auth states by including an auth marker in the cache key.

Enhancements:

• Add a helper for building token-aware GitHub repo cache keys shared across popup repo-fetch flows.
• Improve i18n error and status message formatting consistency across popup, scrum helper, and GitLab helper scripts.

Build:

• Update Biome configuration to the installed CLI version and reformat affected scripts to satisfy style checks.

[sourcery-ai]

Reviewer's Guide

Adds GitHub-auth-state–aware cache keys and invalidation for repository filtering, ensuring repo caches are not shared between authenticated and unauthenticated sessions, and updates related scrum helper cache keys plus formatting and Biome config changes.

Sequence diagram for GitHub repo filtering with auth-aware cache

sequenceDiagram
  actor User
  participant Popup
  participant Storage as browser_storage_local
  participant GitHubAPI

  User->>Popup: Toggle useRepoFilter to enabled
  Popup->>Storage: get platform, username, orgName, githubToken, repoCache
  Popup-->>Popup: check platform is github
  Popup-->>Popup: repoCacheKey = getRepoCacheKey(username, orgName, githubToken)
  Popup-->>Popup: compute cacheAge
  alt Fresh cache with matching repoCacheKey
    Popup-->>Popup: use cached repos
    Popup-->>User: Show filtered repo list from cache
  else No cache or stale cache or mismatched repoCacheKey
    Popup->>GitHubAPI: fetchUserRepositories(username, orgName, githubToken)
    GitHubAPI-->>Popup: repos
    Popup-->>Popup: repoCacheKey = getRepoCacheKey(username, orgName, githubToken)
    Popup->>Storage: set repoCache { data, timestamp, cacheKey: repoCacheKey }
    Popup-->>User: Show filtered repo list from fresh fetch
  end

  Note over Popup: getRepoCacheKey(username, orgName, token) -> "repos-username-org-tokenMarker" where tokenMarker is auth or noauth

Loading

Sequence diagram for GitHub token change invalidating repo cache

sequenceDiagram
  actor User
  participant Popup
  participant Storage as browser_storage_local

  User->>Popup: Open popup UI
  Popup->>Storage: get githubToken, repoCache
  Storage-->>Popup: githubToken, repoCache
  Popup-->>Popup: previousGithubTokenMarker = githubToken ? auth : noauth

  User->>Popup: Edit githubTokenInput
  Popup-->>Popup: nextTokenMarker = githubTokenInput.value ? auth : noauth
  Popup-->>Popup: shouldInvalidateRepoCache = previousGithubTokenMarker != nextTokenMarker
  Popup-->>Popup: previousGithubTokenMarker = nextTokenMarker

  alt shouldInvalidateRepoCache is true
    Popup-->>Popup: payload = { githubToken, repoCache: null }
  else shouldInvalidateRepoCache is false
    Popup-->>Popup: payload = { githubToken }
  end

  Popup->>Storage: set payload

  Note over Popup: Changing between auth and noauth forces repoCache to be cleared so future loads refetch repos

Loading

File-Level Changes

Change	Details	Files
Make GitHub repo filter cache keys token-auth-state aware and invalidate cache when auth mode changes.	Introduce a shared getRepoCacheKey(username, orgName, token) helper that encodes an auth/noauth token marker into the repo cache key. Use the new token-aware cache key for saving repoCache after a fetch and for reading repoCache when repo filtering is enabled. Track the previous githubToken auth marker in popup state and, on githubToken input changes, clear repoCache if the marker toggles between auth and noauth.	src/scripts/popup.js
Align scrum report GitHub repo cache keys with token auth state to avoid cross-auth cache reuse.	Extend the scrum helper’s repo cache key to include an auth/noauth marker based on the presence of a GitHub token. Keep repo filter disabled handling and cache freshness checks unchanged aside from the new key format.	src/scripts/scrumHelper.js
Apply formatting-only changes to match updated Biome configuration.	Reflow long i18n and error message lines and clean whitespace in popup and scrum helper scripts without changing logic. Reformat GitLab helper error handling blocks for readability while preserving behavior. Update biome.json to the new CLI-compatible schema (2.4.9).	src/scripts/popup.js src/scripts/scrumHelper.js src/scripts/gitlabHelper.js biome.json

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#493	Make the GitHub repository filter cache key token/auth-state aware (so authenticated vs unauthenticated sessions use distinct cache entries) across both popup and scrum generation paths.	✅
#493	Invalidate or bypass existing repository cache when the GitHub token auth state changes (transition between empty and non-empty token), so a fresh, correctly authenticated repo list is fetched immediately.	✅

Possibly linked issues

• [Bug] Repo Filter Cache Ignores Token/Auth State, Causing Stale/Missing Private Repositories #493: They address the same GitHub repo filter cache bug by making cache keys token-aware and invalidating on auth changes.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The auth/noauth marker logic is duplicated and slightly inconsistent (trim() in popup.js but not in scrumHelper.js); consider extracting a small shared helper (e.g., getGithubTokenMarker(token)) and reusing it to avoid future divergence in cache key behavior.
• The auth/noauth strings are now part of multiple cache key formats; pulling them into a shared constant or enum-like structure would make it less error‑prone to evolve these markers or search for all usages later.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `auth`/`noauth` marker logic is duplicated and slightly inconsistent (`trim()` in `popup.js` but not in `scrumHelper.js`); consider extracting a small shared helper (e.g., `getGithubTokenMarker(token)`) and reusing it to avoid future divergence in cache key behavior.
- The `auth`/`noauth` strings are now part of multiple cache key formats; pulling them into a shared constant or enum-like structure would make it less error‑prone to evolve these markers or search for all usages later.

## Individual Comments

### Comment 1
<location path="src/scripts/popup.js" line_range="711-713" />
<code_context>
 			});
 		});
 		githubTokenInput.addEventListener('input', () => {
-			browser.storage.local.set({ githubToken: githubTokenInput.value });
+			const nextTokenMarker = githubTokenInput.value.trim() ? 'auth' : 'noauth';
+			const shouldInvalidateRepoCache = previousGithubTokenMarker !== nextTokenMarker;
+			previousGithubTokenMarker = nextTokenMarker;
+
</code_context>
<issue_to_address>
**issue (bug_risk):** Repo cache invalidation only distinguishes auth/noauth, not actual token changes.

Because both `previousGithubTokenMarker` and `nextTokenMarker` map any non-empty token to `'auth'`, switching between different valid tokens will not invalidate `repoCache`, even when the repo set differs (different user, scopes, orgs, etc.). Since `getRepoCacheKey` also only uses the auth/noauth marker, cached results from one token can be incorrectly reused for another. Please key the cache on a more specific, non-reversible token fingerprint (e.g., a hash) so any token change invalidates the cache without storing the raw token.
</issue_to_address>

### Comment 2
<location path="src/scripts/scrumHelper.js" line_range="918" />
<code_context>
 			return [];
 		}
-		const repoCacheKey = `repos-${platformUsernameLocal}-${orgName}-${startDateForCache}-${endDateForCache}`;
+		const tokenMarker = githubToken ? 'auth' : 'noauth';
+		const repoCacheKey = `repos-${platformUsernameLocal}-${orgName}-${startDateForCache}-${endDateForCache}-${tokenMarker}`;

 		const now = Date.now();
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Token marker logic here is inconsistent with `getRepoCacheKey`’s trimming behavior.

`getRepoCacheKey` uses `token && token.trim() ? 'auth' : 'noauth'`, while this code uses `githubToken ? 'auth' : 'noauth'`. A whitespace-only token will be treated as `'noauth'` in the popup but `'auth'` here, leading to inconsistent cache keys between flows. Align the logic (e.g. `githubToken && githubToken.trim()`) so both paths define “authenticated” the same way.

```suggestion
		const tokenMarker = githubToken && githubToken.trim() ? 'auth' : 'noauth';
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

Fixes stale GitHub repository filter results being reused across unauthenticated vs authenticated sessions by making repo-cache keys auth-state aware and invalidating cached repo data when token auth state changes.

Changes:

• Add an auth/noauth marker to GitHub repo cache keys used by popup repo filtering and scrum generation repo fetching.
• Invalidate repoCache in popup when the GitHub token transitions between empty and non-empty.
• Update Biome schema URL to match the installed Biome CLI version and apply formatting updates.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
src/scripts/popup.js	Adds token auth-state marker to repo cache keys and invalidates repo cache on auth-state transitions.
src/scripts/scrumHelper.js	Updates internal repo cache key to include auth-state marker; formatting adjustments.
src/scripts/gitlabHelper.js	Formatting-only changes (no intended logic changes).
biome.json	Updates $schema to Biome 2.4.9 to match installed CLI.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mariobehling]

Please address AI reviews or mention why they are not relevant if so.

[mariobehling]

Also fix linting issues.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Nsanjayboruds]

Addressed the security review findings.

• Replaced custom token hashing with SHA-256-based fingerprinting (crypto.subtle.digest) for repo cache keys.
• Ensured token handling is normalized via trim() before both fingerprinting and GraphQL authorization.
• Updated affected cache-key call sites accordingly.

Validation:

• npm run lint ✅
• npm run check ✅

[Nsanjayboruds]

Hi @mariobehling and @vedansh-5,

I’ve implemented all the requested changes and updates. Could you please take a moment to review the PR? Your feedback would be greatly appreciated.

Thank you!

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

biome.json schema is set to 2.4.9, but package.json pins @biomejs/biome to 2.4.11. Either bump the schema URL to 2.4.11 or align the dependency/version claim so tooling and editor validation match.

[Nsanjayboruds]

Fixed. Schema is aligned to Biome 2.4.11 to match the dependency version and avoid tooling mismatch.