Several timeline command components assume specific payload shapes and will throw if the data doesn't match. An error boundary was added in #1598 to prevent these from crashing the app, but the components themselves should add defensive guards.
Vulnerable components:
AsyncStorageMutationCommand — payload.data.key accessed without null checkApiResponseCommand — payload.request and payload.response destructured without null checksStateValuesChangeCommand — insufficient type checking before Object.keys()BenchmarkReportCommand — payload.steps array accessed without validation, crashes on empty arraySagaTaskCompleteCommand/Stateless — payload.children.length and .map() without array check
These were safe when the only payload source was the client SDK, but with the MCP server (#1598) there's now a second source of commands that may produce different shapes.
Several timeline command components assume specific payload shapes and will throw if the data doesn't match. An error boundary was added in #1598 to prevent these from crashing the app, but the components themselves should add defensive guards.
Vulnerable components:
AsyncStorageMutationCommand—payload.data.keyaccessed without null checkApiResponseCommand—payload.requestandpayload.responsedestructured without null checksStateValuesChangeCommand— insufficient type checking beforeObject.keys()BenchmarkReportCommand—payload.stepsarray accessed without validation, crashes on empty arraySagaTaskCompleteCommand/Stateless—payload.children.lengthand.map()without array checkThese were safe when the only payload source was the client SDK, but with the MCP server (#1598) there's now a second source of commands that may produce different shapes.