Last updated: 2026-05-14 (v2.0.0)
Auto Rebaser is a browser extension that automatically rebases your open GitHub pull requests when they fall behind their base branch and runs a small set of opt-in housekeeping automations. v2 adds multi-account support and an opt-in desktop-notifications path. This document describes what data the extension handles and how.
api.github.com and github.com (or your GitHub Enterprise Server host, if you’ve configured one).Two sign-in methods are supported:
repo scope.Both methods store credentials in chrome.storage.local (or browser.storage.local on Firefox). No credentials are ever written to chrome.storage.sync — they stay on the device that signed in.
You can sign in with more than one GitHub account on a single install. Each account is identified by its GitHub login and stored under a per-account namespace inside chrome.storage.local (accounts.<id>.*). Every per-account data category below is keyed by that namespace — there is no shared global cache for auth, PR data, ETags, or throttles. Switching the active account in the popup only changes which namespace the UI reads from; nothing is exchanged between accounts.
| Data | Storage | Per-account? | Purpose |
|---|---|---|---|
| Auth credentials (GitHub App token set, OR personal access token) | chrome.storage.local |
yes | Authenticates GitHub API calls. Required for the extension to function. |
| List of GitHub App installations accessible to you | chrome.storage.local |
yes | Display “via GitHub App on org-a, org-b” and gate writes against suspended installations. |
| List of your open authored PRs (repo, number, title, state, etc.) | chrome.storage.local |
yes | Display in the popup; detect when a PR falls behind. |
| Reviewer PR cache (PRs where you’re a requested reviewer or assignee, v2) | chrome.storage.local |
yes | Render the reviewer dashboard tab. |
| Per-URL ETags | chrome.storage.local |
yes | Reduce GitHub API quota consumption via conditional requests. Per-account so no account ever echoes another’s If-None-Match. |
| Settings — global (poll interval, ignored repos, keyboard shortcuts, GHES host) | chrome.storage.sync |
no — shared | Cross-account preferences synced by your browser vendor. |
| Settings — per-account (automation toggles, opt-out lists, notification preferences, reviewer-tab toggle) | chrome.storage.sync |
yes | Each signed-in account keeps its own opt-outs and toggles. |
| Activity log (action, repo, PR number, PR title, result, timestamp) | chrome.storage.local |
yes | Audit trail for automated actions. Capped at 200 entries / 30 days. Cleared on demand via “Clear log”. Never synced. |
| Ping throttle (PR id → last-pinged timestamp) | chrome.storage.local |
yes | Prevents the popup’s “ping reviewers” button from re-posting within 24 hours. Pruned automatically. |
| Rerequest throttle (PR id → last-rerequested timestamp) | chrome.storage.local |
yes | Same throttle pattern for the v2 push-since-approval re-review chip. |
Notification throttle ((prId, event) → last-notified timestamp, v2) |
chrome.storage.local |
yes | 1-hour throttle per (PR, event) so desktop notifications don’t spam. Pruned automatically. |
| Already-resolved review threads (thread id → timestamp) | chrome.storage.local |
yes | Prevents re-resolving threads that a teammate manually un-resolved. |
| Reviewer auto-merge arming cache (v2) | chrome.storage.local |
yes | Records that the 4-gate reviewer auto-merge has fired for a given PR, so the gate is idempotent across polls. |
chrome.storage.sync data is synced by your browser vendor (Google or Mozilla) to your other signed-in browser instances, encrypted in transit. Auto Rebaser does not control or have access to that sync channel.
Sign-out for a single account clears that account’s namespace (auth, PR caches, throttles). “Sign out all” wipes every account’s namespace. Uninstall removes everything.
The extension makes HTTPS requests only to:
https://api.github.com/* (REST + GraphQL) and https://github.com/* (OAuth + Device Flow endpoints), ORhttps://<your-ghes-host>/* instead.Each request includes the active account’s access token in the Authorization header so GitHub can authenticate you. No request goes anywhere else.
The notifications permission is optional and requested at runtime only when you toggle desktop notifications ON in settings. Default is OFF. If you grant the permission, the extension calls the browser’s local chrome.notifications.create API to display a system notification — no notification content is ever transmitted off your device. Toggling notifications OFF in settings revokes the runtime permission grant.
| Permission | Required? | Why |
|---|---|---|
storage |
install-time | Store the items in the table above. |
alarms |
install-time | Schedule the periodic poll (default every 5 minutes). |
host_permissions: api.github.com, github.com |
install-time | Talk to the GitHub API and complete the OAuth Device Flow. |
optional_host_permissions: https://*/* (Chrome) / optional_permissions: https://*/* (Firefox) |
runtime, opt-in | Requested only if you configure a GitHub Enterprise Server host in settings. The browser prompts you to grant access to that specific host before any request is made. |
notifications (v2) |
runtime, opt-in | Requested only when you toggle desktop notifications ON in settings. Used to display local system notifications via chrome.notifications.create. No data is transmitted. |
chrome.storage.local (and browser.storage.local on Firefox) is unencrypted at rest. If local malware runs with access to your browser profile, or if another extension has been granted the storage permission with broad host access, it could read the tokens stored there. This is an inherent limitation of the browser extension storage API; it is not specific to Auto Rebaser.
What this means in practice:
chrome.storage.local.set call, so there is no window where the extension holds two valid refresh tokens simultaneously.github.com). Auto Rebaser has no backend that receives, logs, or proxies credentials.For the full vulnerability assessment and residual risk register that informed these design choices, see docs/security/2026-05-14-owasp-review.md.
notifications permission grant.Auto Rebaser is open source. You can read every line that handles your data: https://github.com/bradygrapentine/auto-rebaser
Questions or concerns: grapentineb@gmail.com