refactor(web): guard RightRail attachment payload instead of casting

[bhekanik]

What

Replaces an unchecked item as AttachmentView cast in RightRail's attachments branch with a runtime isAttachmentView type guard. Audit backlog item P2 #21 (RightRail type-safety).

Why

The attachments rail mapped each payload item with a bare cast, so a malformed payload would flow garbage into AttachmentActions (e.g. attachment.id/filename undefined). The other rail kinds already guard their payloads; this brings the attachments branch in line.

Scope notes (honest verification)

• The audit also flagged the sender-profile and commitments panels as receiving unknown "without type guards." On inspection they do validate internally — extractSenderProfile returns null and extractCommitments returns [] on a bad shape, each rendering an empty state — so they are not a crash risk and are left as-is.
• The central queryKeys module half of this item is a ~160-call-site sweep across the app. That's a high-blast-radius refactor for marginal type-safety gain, so it is intentionally deferred rather than bundled here.

Verification

npm run typecheck, oxlint, oxfmt --check clean; vite build succeeds.

Generated with Claude Code

---

Summary by cubic

Guard attachment payloads in RightRail with a runtime isAttachmentView check, replacing the unchecked cast. Prevents malformed items from reaching AttachmentActions and aligns with other rails; addresses audit item P2 #21.

• Refactors
  • Added isAttachmentView and filter the attachments array before rendering, so only well-formed attachments render.

^{Written for commit 21ce202. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mxr-mail	Ready	Preview, Comment	Jun 10, 2026 5:40pm

[coderabbitai]

Warning

Review limit reached

@bhekanik, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 37 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 97c3c52c-b9f0-44d5-8127-4bce64b74be6

📥 Commits

Reviewing files that changed from the base of the PR and between 7bb7a09 and 21ce202.

📒 Files selected for processing (1)

• apps/web/src/components/RightRail.tsx

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/web-rightrail-typesafety

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}