fix(types): replace any with unknown for response in broker-protection types.js

[jonathanKingston]

Asana Task/Github Issue:

Description

Testing Steps

Checklist

Please tick all that apply:

• I have tested this change locally
• I have tested this change locally in all supported browsers
• This change will be visible to users
• I have added automated tests that cover this change
• I have ensured the change is gated by config
• This change was covered by a ship review
• This change was covered by a tech design
• Any dependent config has been merged

---

https://claude.ai/code/session_01QaZ2NFE7y5u8YdZhjoc79m

---

Note

Low Risk
Type-only JSDoc changes that tighten SuccessResponse typing from any to generic/unknown, with no runtime logic changes. Low risk aside from potential downstream type-checking/IDE annotation adjustments.

Overview
Improves broker-protection response typing by making SuccessResponse generic (SuccessResponse<T>) and changing SuccessResponseInterface.response from any to a typed T (defaulting to unknown).

Updates JSDoc return types in build-url and getSupportingCodeToInject to specify concrete SuccessResponse payload shapes (e.g., {url: string} and {code?: string | null}), clarifying what callers can expect.

^{Reviewed by Cursor Bugbot for commit 0837d39. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:15:47 GMT

Android

    - android/autofillImport.js

• android/brokerProtection.js

File has changed

Apple

    - apple/contentScopeIsolated.js

File has changed

Integration

    - integration/contentScope.js

File has changed

Windows

    - windows/contentScope.js

File has changed

[jonathanKingston]

@cursoragen fix pleaset

rror: injected/src/features/broker-protection/actions/navigate.js(26,9): error TS2698: Spread types may only be created from object types.
Error: injected/src/features/broker-protection/actions/navigate.js(27,9): error TS2698: Spread types may only be created from object types.
Error: Process completed with exit code 2.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

[jonathanKingston]

@cursor can you checkout the test fail

[cursor]

Fixed. The TS2698 errors in navigate.js were caused by spreading unknown-typed .success.response values after the any → unknown change. Added inline JSDoc casts to Record<string, unknown> at both spread sites — safe because buildUrl returns { url: string } and getSupportingCodeToInject returns {} or { code: string }.

• tsc: clean
• lint: clean
• unit tests: all passing

  

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

[github-actions]

Build Branch

Branch	pr-releases/claude/fix-any-type-patch-24-sqf19
Commit	a136246170
Updated	May 22, 2026 at 10:15:20 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/claude/fix-any-type-patch-24-sqf19

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/claude/fix-any-type-patch-24-sqf19")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/claude/fix-any-type-patch-24-sqf19
git -C submodules/content-scope-scripts checkout origin/pr-releases/claude/fix-any-type-patch-24-sqf19

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#a1362461705db8d2d3f53a38769a635fc33760bf

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "a1362461705db8d2d3f53a38769a635fc33760bf")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/claude/fix-any-type-patch-24-sqf19
git -C submodules/content-scope-scripts checkout a1362461705db8d2d3f53a38769a635fc33760bf

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

[cursor]

Web Compatibility Assessment

• injected/src/features/broker-protection/types.js (134-163) — info: Change is JSDoc-only (SuccessResponse made generic with T=unknown), with no constructor/static runtime behavior changes. No API shim/proxy/wrapper surface changes, so no impact on descriptor fidelity, toString() masking, prototype chains, or DOM timing paths.
• injected/src/features/broker-protection/actions/build-url.js (9) — info: Return type narrowed to SuccessResponse<{url: string}> | ErrorResponse in annotations only; function body and returned runtime object shape are unchanged.
• injected/src/features/broker-protection/captcha-services/captcha.service.js (31) — info: Return annotation narrowed to SuccessResponse<{code?: string | null}> | ErrorResponse; runtime behavior remains unchanged ({} for backward-compat path, {code: ...} for provider path).

No web-compat regression findings (warning/error) were identified in the changed lines.

Security Assessment

• injected/src/features/broker-protection/types.js (134-163) — info: No trust-boundary/runtime changes. No new global reads, captures, messaging paths, bridge logic, origin checks, or dynamic execution introduced.
• injected/src/features/broker-protection/actions/build-url.js (9) — info: Type annotation-only change; no new URL/network/data-flow behavior.
• injected/src/features/broker-protection/captcha-services/captcha.service.js (31) — info: Type annotation-only change; no message transport, iframe, or exfiltration surface changes.

No security findings (error/critical) were identified in the changed lines.

Risk Level

Low Risk — The PR is type-surface/JSDoc tightening only, with unchanged runtime logic and no modifications to wrapper utilities, captured globals, messaging transports, or other security-sensitive execution paths.

Recommendations

1. Add a focused type-check assertion test (or @ts-check fixture) that verifies SuccessResponse.create(...) preserves payload typing for {url: string} and {code?: string | null} to prevent future regression to overly broad any.
2. Optional alternative: define named payload typedefs (e.g., BuildUrlResponsePayload, CaptchaSupportCodePayload) in broker-protection/types.js and reference them from action modules to avoid repeating inline object types and keep contracts centralized.
3. Keep an eye on downstream call sites that previously depended on permissive any; stricter unknown may expose latent typing gaps during static checks (expected and desirable, but worth validating in CI type-check output).

---

  

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.