Widget GitHub API rate limiting: 3-4 calls per verify at 60/hr

[bordumb]

Problem

Each widget verification makes 3-4 unauthenticated GitHub API calls:

1. GET /repos/:owner/:repo/git/matching-refs/auths/ — find registry ref
2. GET /repos/:owner/:repo/git/commits/:sha — get commit for tree
3. GET /repos/:owner/:repo/git/trees/:sha?recursive=1 — walk full tree
4. GET /repos/:owner/:repo/git/blobs/:sha — read state.json (+ more for attestations)

GitHub's unauthenticated rate limit is 60 requests/hour per IP. That means a single user can verify ~15-20 repos per hour before hitting 403 errors.

This already caused a production outage during development — the live demo at auths-dev.github.io/example-verify-badge showed "Error" because rate limits were exhausted.

Options to explore

1. Client-side caching — already partially implemented (cache.ts), but doesn't survive page reloads
2. Proxy/CDN — serve identity data from a static endpoint that doesn't count against API limits
3. GitHub token support — let users optionally provide a PAT (5,000 req/hr), but adds friction
4. Collapse API calls — use the Contents API (/repos/:owner/:repo/contents/) with a single call if possible
5. Service worker cache — persist verified results in browser storage

Impact

Any page embedding multiple <auths-verify> widgets (e.g., a team page) will exhaust rate limits quickly. This needs a solution before launch.