Injected files strict checking

[jonathanKingston]

Asana Task/Github Issue:

Description

Created 13 Cursor rule files (.cursor/rules/strict-*.mdc) to define subagent tasks for migrating all 80 remaining injected/src/ files into strict TypeScript checking (CORE_FILES). Each rule file is a self-contained task, providing:

• Specific file assignments for strictness fixes.
• Full tsc --strict error output for the assigned files.
• Detailed fix patterns for common TypeScript errors.
• A step-by-step workflow for subagents, including branching and verification.
• Constraints to ensure type-only changes without introducing any or @ts-ignore.

These files enable parallel subagent execution to systematically address strictness errors across the injected/src/ directory.

Testing Steps

• Launch subagents using these rule files (e.g., cursor --rule .cursor/rules/strict-detectors.mdc).
• Verify that each subagent creates a separate branch following the cursor/strict/<name> convention.
• Confirm that the subagents correctly identify and fix strict errors as per their instructions, and that tsc-strict-core passes on their respective branches.

Checklist

Please tick all that apply:

• I have tested this change locally
• I have tested this change locally in all supported browsers
• This change will be visible to users
• I have added automated tests that cover this change
• I have ensured the change is gated by config
• This change was covered by a ship review
• This change was covered by a tech design
• Any dependent config has been merged

---

  

---

Note

Low Risk
Adds documentation-like Cursor rule files only; no runtime code or build configuration is changed beyond guiding future work, so behavior risk is low.

Overview
Introduces 13 new .cursor/rules/strict-*.mdc files that define subagent task plans for enabling strict TypeScript checking across remaining injected/src areas (broker protection, click-to-load, detectors, DuckPlayer, fingerprinting, message bridge, standalone features, and web compat/telemetry).

Each rule file enumerates the target files, captures current tsc --strict error output, and provides fix patterns/workflows (including adding the files to CORE_FILES in scripts/check-strict-core.js) to enable parallel, type-only strictness migrations. No hardcoded secrets were found in the added rules.

^{Reviewed by Cursor Bugbot for commit 5ef9a78. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:15:56 GMT

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

[github-actions]

Build Branch

Branch	pr-releases/jkt/auto/injected-files-strict-checking-afb6
Commit	36890eb9b7
Updated	May 22, 2026 at 10:15:14 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/jkt/auto/injected-files-strict-checking-afb6

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/jkt/auto/injected-files-strict-checking-afb6")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/injected-files-strict-checking-afb6
git -C submodules/content-scope-scripts checkout origin/pr-releases/jkt/auto/injected-files-strict-checking-afb6

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#36890eb9b7bb5fc7314fa2309dcfccf0e13d6620

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "36890eb9b7bb5fc7314fa2309dcfccf0e13d6620")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/injected-files-strict-checking-afb6
git -C submodules/content-scope-scripts checkout 36890eb9b7bb5fc7314fa2309dcfccf0e13d6620

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

[cursor]

Stale comment

Web Compatibility Assessment

1. .cursor/rules/strict-broker-protection-rest.mdc (## Fix Patterns, around line 88), severity: info.
   The change is process/documentation-only and does not modify injected runtime code paths (load/init/urlChanged, wrappers, shims, or platform entry points), so there is no direct API-surface/prototype-chain/site-compat regression in this PR itself.

2. .cursor/rules/*.mdc (all new files), severity: info.
   No changes to injected/src/ execution logic, wrapper utilities, or feature enablement gates were introduced; compatibility risk is deferred to follow-up implementation PRs that apply these rules.

Security Assessment

1. .cursor/rules/strict-broker-protection-rest.mdc (## Fix Patterns, around line 88), severity: warning.
   The guidance includes "Add // @ts-ignore only as last resort" for parse-address. In this codebase, suppressing checker errors in injected/security-sensitive code can mask type-contract violations around page-controlled data and should be avoided in migration guidance unless narrowly constrained and justified.

2. .cursor/rules/*.mdc (all new files), severity: info.
   No modifications to captured-globals, message transports, message-bridge trust checks, origin validation, or network/data-exfiltration surfaces were made. Direct exploitability change in this PR is effectively nil.

Risk Level

Low Risk — this PR adds only Cursor rule/task-definition files and does not alter shipped injected JavaScript behavior, platform bridges, or security-critical runtime code.

Recommendations

1. Remove or tighten the @ts-ignore suggestion in .cursor/rules/strict-broker-protection-rest.mdc; prefer local type declarations (.d.ts) or unknown + narrowing.
2. Add a short shared rule snippet (referenced by all strict task files) forbidding @ts-ignore/any without exception to prevent drift across subagent outputs.
3. For follow-up PRs generated from these rules, require targeted integration coverage for message-bridge, web-compat, and wrapper-facing files in addition to tsc-strict-core/unit/lint checks.

---

  

Dismissing stale approval — new commits pushed, awaiting Cursor re-review.

[cursor]

Web Compatibility Assessment

1. .cursor/rules/*.mdc (all new files), severity: info.
   This PR adds Cursor task/rule files only. It does not change shipped injected runtime code, feature lifecycle ordering, wrappers/shims, platform entry points, DOM observers, or API overrides, so I do not see a direct web-compat regression in the current diff.

Security Assessment

1. .cursor/rules/strict-message-bridge.mdc line 96, .cursor/rules/strict-web-compat-and-telemetry.mdc line 80, .cursor/rules/strict-broker-protection-rest.mdc line 86, severity: warning.
   The strict-fix guidance recommends bare String(error) / instanceof Error patterns. For injected code, especially message-bridge and web-compat, that can lead follow-up implementations to read mutable page-world globals instead of importing captured String / Error from injected/src/captured-globals.js. This PR does not introduce the runtime bug directly, but the rule would steer future strictness migrations toward a global-capture hygiene violation.

2. .cursor/rules/strict-broker-protection-rest.mdc lines 88 and 106, severity: warning.
   The parse-address guidance allows // @ts-ignore as an exception. In injected/security-sensitive code, suppressing checker errors can hide contract mismatches around page-controlled data. Prefer a minimal local declaration or typed wrapper with unknown + narrowing, and keep the rule’s no-@ts-ignore constraint absolute.

Risk Level

Low Risk — current changes are process-only Cursor rules and do not alter shipped injected JavaScript, messaging transports, captured globals, or origin/security checks.

Recommendations

1. Replace bare error coercion guidance with captured-global-safe patterns, e.g. import { String, Error } from captured-globals.js where coercion or instanceof is needed.
2. Remove the @ts-ignore exception for parse-address; use a local .d.ts module declaration or a narrow typed adapter instead.
3. For follow-up PRs generated from these rules, require targeted review/tests for message-bridge, web-compat, and wrapper-facing strictness fixes, not just tsc-strict-core.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

For injected code, this guidance should avoid bare String(e) / instanceof Error: both read mutable page-world globals if copied into runtime code. Prefer explicitly importing captured String / Error from injected/src/captured-globals.js in follow-up strictness fixes, especially in message-bridge.

[cursor]

I’d remove the @ts-ignore escape hatch here. A minimal local module declaration or typed adapter keeps strict checking useful without creating a pattern that can suppress security-relevant type contract issues in injected code.