Summary
Multiple dashboard components parse SSE/WebSocket data via JSON.parse(e.data) and then directly cast the result to typed interfaces without runtime validation:
TranscriptViewer.tsx:72-76 — const data: ParsedEntry = raw.data (annotation, not validation)TerminalPassthrough.tsx:105-107 — same patternresilient-websocket.ts:66 — JSON.parse(event.data as string) passed directly to callbacks
Meanwhile, useSessionPolling.ts:182 correctly uses SessionSSEEventDataSchema.safeParse().
Files Affected
dashboard/src/components/session/TranscriptViewer.tsx:72-76dashboard/src/components/session/TerminalPassthrough.tsx:105-107dashboard/src/api/resilient-websocket.ts:66
Suggested Fix
Use the existing SessionSSEEventDataSchema.safeParse() pattern in all SSE/WebSocket message handlers, matching the approach already used in useSessionPolling.ts.
Code review finding from full codebase audit (2026-04-04)
Summary
Multiple dashboard components parse SSE/WebSocket data via
JSON.parse(e.data)and then directly cast the result to typed interfaces without runtime validation:TranscriptViewer.tsx:72-76—const data: ParsedEntry = raw.data(annotation, not validation)TerminalPassthrough.tsx:105-107— same patternresilient-websocket.ts:66—JSON.parse(event.data as string)passed directly to callbacksMeanwhile,
useSessionPolling.ts:182correctly usesSessionSSEEventDataSchema.safeParse().Files Affected
dashboard/src/components/session/TranscriptViewer.tsx:72-76dashboard/src/components/session/TerminalPassthrough.tsx:105-107dashboard/src/api/resilient-websocket.ts:66Suggested Fix
Use the existing
SessionSSEEventDataSchema.safeParse()pattern in all SSE/WebSocket message handlers, matching the approach already used inuseSessionPolling.ts.Code review finding from full codebase audit (2026-04-04)