build(deps-dev): bump typescript-eslint from 8.58.2 to 8.59.0 in the typescript-eslint group

[dependabot]

Bumps the typescript-eslint group with 1 update: typescript-eslint.

Updates typescript-eslint from 8.58.2 to 8.59.0

Release notes

Sourced from typescript-eslint's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.0 (2026-04-20)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• ea9ae4f chore(release): publish 8.59.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by CodeRabbit

• Chores
  • Updated development tooling and linting dependencies.
• Bug Fixes
  • Tightened validation for public incident locations to improve data correctness.
  • Improved handling of authentication token claims and related state to reduce type-related runtime issues.
• Tests
  • Consolidated and clarified test timing/configuration and updated several test inputs for consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

A collection of small typing, casting and lint-tool updates across the repo: dependency bump for typescript-eslint, removal or relaxation of explicit TypeScript casts in hooks/callables/auth flows, minor test and helper timing/typing changes, a storage-instance typing simplification, and a few formatting/lint-line deletions. No public APIs were changed.

Changes

Cohort / File(s)	Summary
Dependency package.json	Bumped dev dependency typescript-eslint from ^8.8.0 to ^8.59.0.
Auth & Claims Handling packages/shared-ui/src/auth-provider.tsx, functions/src/callables/* (cancel-dispatch.ts, close-report.ts, dispatch-responder-validation.ts, merge-duplicates.ts, reject-report.ts, shift-handoff.ts, verify-report.ts)	Removed/relaxed explicit type assertions when reading token claims (role/active) and removed a type-only import/cast for report status; adjusted transaction callback return typing in merge-duplicates. Runtime behavior unchanged.
Hooks / Snapshot Normalization apps/citizen-pwa/src/hooks/usePublicIncidents.ts, apps/responder-app/src/hooks/useDispatch.ts	Tightened runtime validation (use Number.isFinite on unknown values) and removed intermediate Record<string, unknown> cast when normalizing Firestore snapshot data; also adjusted error state assignment in onSnapshot error path.
LocalForage Storage Typing apps/citizen-pwa/src/services/draft-store.ts	Removed as unknown as ... casts from localforage.createInstance(...) return values; keeps same cached storage behaviour.
Tests — typing / lint cleanup / data formatting functions/lib/__tests__/helpers/*, functions/lib/__tests__/rules/*, functions/lib/__tests__/services/rate-limit.test.js, functions/lib/__tests__/triggers/*, functions/src/__tests__/*, packages/shared-firebase/src/env.test.ts	Replaced various as any / as UserRole / as never casts with direct values or named types; removed some eslint-disable comments; reformatted object literals; adjusted seeded test data/statuses in a few rule tests; added/centralized timing constants in rules-harness.
Seed factories typing functions/lib/__tests__/helpers/seed-factories.d.ts, functions/lib/__tests__/helpers/seed-factories.js	Introduced exported DispatchSeed interface and narrowed seedDispatchRT overrides to Partial<DispatchSeed>; removed an in-file JSDoc comment.
Idempotency return typing functions/src/idempotency/guard.ts	Removed explicit cast on cached-path return, returning data.resultPayload ?? null directly.
FCM token cleanup formatting functions/lib/services/fcm-send.js	Whitespace/formatting change only for the invalid-token cleanup guard condition; logic unchanged.

Sequence Diagram(s)

(Skipped — changes are small typing/formatting adjustments and do not introduce new multi-component control flow requiring visualization.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(phase-5): responder review remediation — callable hardening, E2E decline flow, auth error surfacing #60 — modifies apps/responder-app/src/hooks/useDispatch.ts; closely related to the snapshot normalization and error-path adjustments in this PR.
• feat(phase5): Cluster B — Inter-Agency Coordination #64 — touches dispatch-responder-validation logic and related type/cast usage; directly related to removal of the status cast here.
• refactor: implement refactor audit 2026-04-23 (P1-P3) #62 — changes packages/shared-ui/src/auth-provider.tsx handling of token.claims; related to the claims-casting changes in this PR.

Poem

🐰 A tiny hop through types and tests,
I nudged some casts and cleaned up nests,
Linted versions climb a little higher,
Seeds and snapshots warmed by a small fire,
Hooray — I hopped and made the code look fresher! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 9.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: bumping the typescript-eslint dependency version, which is the primary reason for the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/typescript-eslint-738b6bc52f

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

functions/src/callables/dispatch-responder-validation.ts (1)

114-123: ⚠️ Potential issue | 🔴 Critical

Add explicit type cast or type guard before calling isValidReportTransition.

After the typeof check on line 115, rawStatus has type string, but isValidReportTransition expects a ReportStatus (union of specific string literals). Cast the value explicitly with rawStatus as ReportStatus or introduce a proper type guard that validates the value is a valid report status before the function call.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@functions/src/callables/dispatch-responder-validation.ts` around lines 114 -
123, rawStatus is only narrowed to string by the typeof check but
isValidReportTransition expects a ReportStatus literal; add an explicit cast or
guard before calling it: after the typeof rawStatus !== 'string' check, either
validate rawStatus against the ReportStatus set (a type guard) or cast it with
rawStatus as ReportStatus, then call
isValidReportTransition(rawStatusAsReportStatus, to) in the existing conditional
(referencing rawStatus, isValidReportTransition, ReportStatus and the to =
'assigned' constant) so the call no longer passes a plain string.

functions/src/callables/shift-handoff.ts (1)

260-269: ⚠️ Potential issue | 🟡 Minor

Use a typed auth-claims helper to narrow the type at the boundary.

req.auth.token is cast to Record<string, unknown>, leaving claims.active as unknown type. The validation check at line 237 (claims.active !== true) does not narrow TypeScript's type for unknown, so assigning it to HandoffActor.claims.active (typed as boolean) fails strict type checking.

Either narrow the claims type with a type guard or Zod schema before constructing actor, or explicitly cast individual properties.

Also applies to: 317-326

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@functions/src/callables/shift-handoff.ts` around lines 260 - 269, The code
assigns req.auth.token (treated as Record<string, unknown>) to claims and then
writes claims.active into HandoffActor.claims.active (boolean), which fails
strict typing; fix by narrowing the claims type at the boundary (e.g., add a
typed helper/type guard or Zod parse for req.auth.token) or explicitly extract
and cast each property before building the actor (e.g., derive const active =
typeof claims.active === 'boolean' ? claims.active : false and similarly narrow
role/municipalityId/auth_time), then construct the actor using the narrowed
variables so HandoffActor.claims.active is a boolean; apply the same pattern for
the other occurrence around the block that builds actor (also referenced later
near lines 317-326).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@functions/src/callables/dispatch-responder-validation.ts`:
- Around line 114-123: rawStatus is only narrowed to string by the typeof check
but isValidReportTransition expects a ReportStatus literal; add an explicit cast
or guard before calling it: after the typeof rawStatus !== 'string' check,
either validate rawStatus against the ReportStatus set (a type guard) or cast it
with rawStatus as ReportStatus, then call
isValidReportTransition(rawStatusAsReportStatus, to) in the existing conditional
(referencing rawStatus, isValidReportTransition, ReportStatus and the to =
'assigned' constant) so the call no longer passes a plain string.

In `@functions/src/callables/shift-handoff.ts`:
- Around line 260-269: The code assigns req.auth.token (treated as
Record<string, unknown>) to claims and then writes claims.active into
HandoffActor.claims.active (boolean), which fails strict typing; fix by
narrowing the claims type at the boundary (e.g., add a typed helper/type guard
or Zod parse for req.auth.token) or explicitly extract and cast each property
before building the actor (e.g., derive const active = typeof claims.active ===
'boolean' ? claims.active : false and similarly narrow
role/municipalityId/auth_time), then construct the actor using the narrowed
variables so HandoffActor.claims.active is a boolean; apply the same pattern for
the other occurrence around the block that builds actor (also referenced later
near lines 317-326).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 39626c84-ac39-4eeb-899f-e4ec99cd2e6b

📥 Commits

Reviewing files that changed from the base of the PR and between 43bd430 and 4f2ea90.

⛔ Files ignored due to path filters (22)

• functions/lib/__tests__/callables/merge-duplicates.test.js.map is excluded by !**/*.map
• functions/lib/__tests__/callables/shift-handoff.test.js.map is excluded by !**/*.map
• functions/lib/__tests__/helpers/rules-harness.d.ts.map is excluded by !**/*.map
• functions/lib/__tests__/helpers/rules-harness.js.map is excluded by !**/*.map
• functions/lib/__tests__/helpers/seed-factories.d.ts.map is excluded by !**/*.map
• functions/lib/__tests__/helpers/seed-factories.js.map is excluded by !**/*.map
• functions/lib/__tests__/rules/dispatches.rules.test.js.map is excluded by !**/*.map
• functions/lib/__tests__/rules/responder-direct-writes.rules.test.js.map is excluded by !**/*.map
• functions/lib/__tests__/services/rate-limit.test.js.map is excluded by !**/*.map
• functions/lib/__tests__/triggers/analytics-snapshot-writer.test.js.map is excluded by !**/*.map
• functions/lib/__tests__/triggers/on-media-finalize.test.js.map is excluded by !**/*.map
• functions/lib/callables/cancel-dispatch.js.map is excluded by !**/*.map
• functions/lib/callables/close-report.js.map is excluded by !**/*.map
• functions/lib/callables/dispatch-responder-validation.d.ts.map is excluded by !**/*.map
• functions/lib/callables/dispatch-responder-validation.js.map is excluded by !**/*.map
• functions/lib/callables/merge-duplicates.js.map is excluded by !**/*.map
• functions/lib/callables/reject-report.js.map is excluded by !**/*.map
• functions/lib/callables/shift-handoff.js.map is excluded by !**/*.map
• functions/lib/callables/verify-report.js.map is excluded by !**/*.map
• functions/lib/idempotency/guard.js.map is excluded by !**/*.map
• functions/lib/services/fcm-send.d.ts.map is excluded by !**/*.map
• functions/lib/services/fcm-send.js.map is excluded by !**/*.map

📒 Files selected for processing (25)

• apps/citizen-pwa/src/hooks/usePublicIncidents.ts
• apps/citizen-pwa/src/services/draft-store.ts
• apps/responder-app/src/hooks/useDispatch.ts
• functions/lib/__tests__/helpers/rules-harness.js
• functions/lib/__tests__/helpers/seed-factories.d.ts
• functions/lib/__tests__/helpers/seed-factories.js
• functions/lib/__tests__/rules/dispatches.rules.test.js
• functions/lib/__tests__/rules/responder-direct-writes.rules.test.js
• functions/lib/__tests__/services/rate-limit.test.js
• functions/lib/__tests__/triggers/analytics-snapshot-writer.test.js
• functions/lib/services/fcm-send.js
• functions/src/__tests__/callables/merge-duplicates.test.ts
• functions/src/__tests__/callables/shift-handoff.test.ts
• functions/src/__tests__/services/rate-limit.test.ts
• functions/src/__tests__/triggers/on-media-finalize.test.ts
• functions/src/callables/cancel-dispatch.ts
• functions/src/callables/close-report.ts
• functions/src/callables/dispatch-responder-validation.ts
• functions/src/callables/merge-duplicates.ts
• functions/src/callables/reject-report.ts
• functions/src/callables/shift-handoff.ts
• functions/src/callables/verify-report.ts
• functions/src/idempotency/guard.ts
• packages/shared-firebase/src/env.test.ts
• packages/shared-ui/src/auth-provider.tsx

💤 Files with no reviewable changes (2)

• functions/lib/tests/helpers/seed-factories.js
• functions/lib/tests/services/rate-limit.test.js

[Exc1D]

Superseded by direct update to typescript-eslint 8.59.1 on main, which includes all fixes for the new lint rules.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml