Harden benchmark safety helpers

Treat malformed resolver return values as public before reading or
iterating the result.  Also guard the explicit-load helper against
non-object load values before using property checks.

#795 (comment)
#795 (comment)

Assisted-by: Codex:gpt-5.5

Author: dahlia

packages/cli/src/bench/action.ts

@@ -505,6 +505,7 @@ function unsafeOverrideScenario(
 
 function hasExplicitLoad(load: LoadConfig | undefined): boolean {
   return load != null &&
+    typeof load === "object" &&
     (("rate" in load && load.rate != null) ||
       ("concurrency" in load && load.concurrency != null));
 }

packages/cli/src/bench/safety/tiers.test.ts

@@ -103,6 +103,14 @@ test("classifyResolvedTarget - treats resolution failure as public", async () =>
   assert.strictEqual(tier, "public");
 });
 
+test("classifyResolvedTarget - treats non-array resolver output as public", async () => {
+  const tier = await classifyResolvedTarget(
+    new URL("https://bench.example"),
+    () => Promise.resolve(null as unknown as readonly string[]),
+  );
+  assert.strictEqual(tier, "public");
+});
+
 test("classifyResolvedTarget - treats malformed resolver output as public", async () => {
   const tier = await classifyResolvedTarget(
     new URL("https://bench.example"),

packages/cli/src/bench/safety/tiers.ts

@@ -58,7 +58,8 @@ export async function classifyResolvedTarget(
   if (direct !== "public" || isIpLiteral(host)) return direct;
   let addresses: readonly string[];
   try {
-    addresses = await resolveAddresses(host);
+    const resolved = await resolveAddresses(host);
+    addresses = Array.isArray(resolved) ? resolved : [];
   } catch {
     return "public";
   }