veryfront 0.1.228 → 0.1.230

package/esm/src/server/services/rsc/orchestrators/page-handler.js

@@ -1,4 +1,24 @@
 import { buildNonceAttribute } from "../../../../html/html-escape.js";
+/**
+ * Serialize a value as a JSON string literal that is safe to embed inside an
+ * inline HTML <script>. JSON already escapes quotes, backslashes, and control
+ * characters; we additionally escape:
+ *   - `<` / `>` so `</script>`, `<!--`, and `<script` cannot appear literally,
+ *   - `&` as defense-in-depth against reparsing contexts (e.g. HTML entity
+ *     re-decoding in some legacy paths),
+ *   - U+2028 / U+2029 which are valid JSON but terminate JS string literals
+ *     in older browsers.
+ *
+ * See VULN-INJ-1 in the security audit.
+ */
+function jsonForScript(value) {
+    return JSON.stringify(value)
+        .replace(/</g, "\\u003c")
+        .replace(/>/g, "\\u003e")
+        .replace(/&/g, "\\u0026")
+        .replace(/\u2028/g, "\\u2028")
+        .replace(/\u2029/g, "\\u2029");
+}
 export class PageHandler {
     handle(pathname, searchParams, nonce) {
         const html = this.buildHtml(pathname, searchParams, nonce);
@@ -10,6 +30,7 @@ export class PageHandler {
         const queryString = searchParams.toString();
         const renderUrl = `/_veryfront/rsc/render${pathname}${queryString ? `?${queryString}` : ""}`;
         const nonceAttr = buildNonceAttribute(nonce);
+        const renderUrlJs = jsonForScript(renderUrl);
         return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -57,7 +78,7 @@ export class PageHandler {
     }
 
     (async () => {
-      const renderUrl = '${renderUrl}';
+      const renderUrl = ${renderUrlJs};
       const payload =
         (await fetchPayload(renderUrl)) ??
         (await fetchPayload('/_veryfront/rsc/payload')) ??

package/esm/src/server/utils/proxy-trust.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Proxy trust boundary.
+ *
+ * Forwarded headers such as `x-forwarded-host` and `x-project-path` must only be
+ * honoured when the request is known to come from a trusted upstream proxy.
+ * Any other treatment lets an attacker reaching the runtime directly spoof the
+ * origin host or point project discovery at arbitrary filesystem paths.
+ *
+ * A request is considered proxy-trusted when either:
+ *   1. The operator has opted in via `VERYFRONT_TRUST_FORWARDED_HEADERS=1`
+ *      (strict "1" match — "true", "yes", whitespace-padded values do NOT count
+ *      so misconfiguration fails closed); or
+ *   2. The request carries a valid `x-veryfront-dispatch-jws` header that
+ *      cryptographically verifies against the configured control-plane public
+ *      key and whose `iat`/`exp` claims are within the allowed freshness
+ *      window. Presence alone is NOT trusted because the proxy does not strip
+ *      this header from untrusted inbound requests (it has to pass through to
+ *      the channel-invoke / channel-assistants handlers unchanged), so a
+ *      direct-access attacker could otherwise set any value and promote
+ *      forwarded-header spoofing.
+ *
+ * @module server/utils/proxy-trust
+ */
+export interface ProxyTrustOptions {
+    /**
+     * PEM-encoded Ed25519 public key used to verify `x-veryfront-dispatch-jws`.
+     * When absent, the dispatch-JWS trust signal is disabled (fails closed) and
+     * only the operator opt-in env var can unlock proxy trust.
+     */
+    publicKeyPem?: string;
+}
+export declare function isProxyTrusted(req: Request, options?: ProxyTrustOptions): Promise<boolean>;
+//# sourceMappingURL=proxy-trust.d.ts.map

package/esm/src/server/utils/proxy-trust.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-trust.d.ts","sourceRoot":"","sources":["../../../../src/src/server/utils/proxy-trust.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAQH,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,wBAAsB,cAAc,CAClC,GAAG,EAAE,OAAO,EACZ,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,OAAO,CAAC,CAalB"}

package/esm/src/server/utils/proxy-trust.js

@@ -0,0 +1,41 @@
+/**
+ * Proxy trust boundary.
+ *
+ * Forwarded headers such as `x-forwarded-host` and `x-project-path` must only be
+ * honoured when the request is known to come from a trusted upstream proxy.
+ * Any other treatment lets an attacker reaching the runtime directly spoof the
+ * origin host or point project discovery at arbitrary filesystem paths.
+ *
+ * A request is considered proxy-trusted when either:
+ *   1. The operator has opted in via `VERYFRONT_TRUST_FORWARDED_HEADERS=1`
+ *      (strict "1" match — "true", "yes", whitespace-padded values do NOT count
+ *      so misconfiguration fails closed); or
+ *   2. The request carries a valid `x-veryfront-dispatch-jws` header that
+ *      cryptographically verifies against the configured control-plane public
+ *      key and whose `iat`/`exp` claims are within the allowed freshness
+ *      window. Presence alone is NOT trusted because the proxy does not strip
+ *      this header from untrusted inbound requests (it has to pass through to
+ *      the channel-invoke / channel-assistants handlers unchanged), so a
+ *      direct-access attacker could otherwise set any value and promote
+ *      forwarded-header spoofing.
+ *
+ * @module server/utils/proxy-trust
+ */
+import { verifyDispatchJwsSignature } from "../../channels/control-plane.js";
+import { getHostEnv } from "../../platform/compat/process.js";
+const DISPATCH_JWS_HEADER = "x-veryfront-dispatch-jws";
+const MAX_DISPATCH_SIGNATURE_AGE_SECONDS = 60;
+export async function isProxyTrusted(req, options = {}) {
+    if (getHostEnv("VERYFRONT_TRUST_FORWARDED_HEADERS") === "1")
+        return true;
+    const jws = req.headers.get(DISPATCH_JWS_HEADER);
+    if (!jws)
+        return false;
+    const { publicKeyPem } = options;
+    if (!publicKeyPem)
+        return false;
+    return verifyDispatchJwsSignature(jws, {
+        publicKeyPem,
+        maxAgeSeconds: MAX_DISPATCH_SIGNATURE_AGE_SECONDS,
+    });
+}

package/esm/src/utils/version-constant.d.ts

@@ -1,2 +1,2 @@
-export declare const VERSION = "0.1.228";
+export declare const VERSION = "0.1.230";
 //# sourceMappingURL=version-constant.d.ts.map

package/esm/src/utils/version-constant.js

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.228";
+export const VERSION = "0.1.230";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "veryfront",
-  "version": "0.1.228",
+  "version": "0.1.230",
   "description": "The simplest way to build AI-powered apps",
   "keywords": [
     "react",

package/src/deno.js

@@ -1,6 +1,6 @@
 export default {
   "name": "veryfront",
-  "version": "0.1.228",
+  "version": "0.1.230",
   "license": "Apache-2.0",
   "nodeModulesDir": "auto",
   "workspace": [

package/src/src/agent/hosted-child-lifecycle.ts

@@ -0,0 +1,121 @@
+export interface HostedChildLifecycleTerminalState {
+  status: "completed" | "failed" | "cancelled";
+  usage?: {
+    inputTokens?: number;
+    outputTokens?: number;
+    totalTokens?: number;
+  };
+  terminalErrorCode?: string | null;
+  terminalErrorMessage?: string | null;
+}
+
+export interface HostedChildLifecycleCompletedState
+  extends Omit<HostedChildLifecycleTerminalState, "status"> {
+  status: "completed";
+}
+
+export interface HostedChildLifecycleAdapter {
+  pending?: () => Promise<void> | void;
+  running?: () => Promise<void> | void;
+  completed?: (
+    terminalState: HostedChildLifecycleTerminalState,
+  ) => Promise<void> | void;
+  failed?: (
+    terminalState: HostedChildLifecycleTerminalState,
+  ) => Promise<void> | void;
+  cancelled?: (
+    terminalState: HostedChildLifecycleTerminalState,
+  ) => Promise<void> | void;
+}
+
+export interface HostedChildLifecycleErrorState
+  extends Omit<HostedChildLifecycleTerminalState, "status"> {
+  status: "failed" | "cancelled";
+}
+
+export interface HostedChildLifecycleRunnerOptions<TResult> {
+  adapter: HostedChildLifecycleAdapter;
+  execute: () => Promise<TResult> | TResult;
+  resolveCompletedState?: (
+    result: TResult,
+  ) =>
+    | Promise<HostedChildLifecycleCompletedState>
+    | HostedChildLifecycleCompletedState;
+  resolveErrorState: (
+    error: unknown,
+  ) =>
+    | Promise<HostedChildLifecycleErrorState>
+    | HostedChildLifecycleErrorState;
+  onLifecycleError?: (error: unknown) => Promise<void> | void;
+}
+
+export type HostedChildLifecycleRunResult<TResult> =
+  | {
+    status: "completed";
+    result: TResult;
+    terminalState: HostedChildLifecycleTerminalState;
+  }
+  | {
+    status: "failed" | "cancelled";
+    error: unknown;
+    terminalState: HostedChildLifecycleTerminalState;
+  };
+
+async function dispatchTerminalState(
+  adapter: HostedChildLifecycleAdapter,
+  terminalState: HostedChildLifecycleTerminalState,
+): Promise<void> {
+  if (terminalState.status === "cancelled") {
+    await adapter.cancelled?.(terminalState);
+    return;
+  }
+
+  if (terminalState.status === "failed") {
+    await adapter.failed?.(terminalState);
+    return;
+  }
+
+  await adapter.completed?.(terminalState);
+}
+
+export async function runHostedChildLifecycle<TResult>(
+  options: HostedChildLifecycleRunnerOptions<TResult>,
+): Promise<HostedChildLifecycleRunResult<TResult>> {
+  await options.adapter.pending?.();
+  await options.adapter.running?.();
+
+  let result: TResult;
+  try {
+    result = await options.execute();
+  } catch (error) {
+    const terminalState = await options.resolveErrorState(error);
+
+    try {
+      await dispatchTerminalState(options.adapter, terminalState);
+    } catch (lifecycleError) {
+      if (options.onLifecycleError) {
+        await options.onLifecycleError(lifecycleError);
+      } else {
+        throw lifecycleError;
+      }
+    }
+
+    return {
+      status: terminalState.status,
+      error,
+      terminalState,
+    };
+  }
+
+  const terminalState = options.resolveCompletedState
+    ? await options.resolveCompletedState(result)
+    : { status: "completed" as const };
+
+  await dispatchTerminalState(options.adapter, terminalState);
+
+  return {
+    status: "completed",
+    result,
+    terminalState,
+  };
+}

package/src/src/agent/hosted-lifecycle.ts

@@ -0,0 +1,159 @@
+export interface HostedLifecycleTerminalState {
+  status: "completed" | "failed" | "cancelled";
+  metadata?: {
+    modelId?: string;
+    usage?: {
+      inputTokens?: number;
+      outputTokens?: number;
+      cachedInputTokens?: number;
+    };
+  };
+  terminalErrorCode?: string | null;
+  terminalErrorMessage?: string | null;
+}
+
+export interface HostedLifecycleExecution<TChunk> {
+  stream: AsyncIterable<TChunk>;
+  waitForFinish: () => Promise<void>;
+}
+
+export interface HostedLifecycleAdapter<TRun, TChunk> {
+  startRun: (input: { abortSignal: AbortSignal }) => Promise<TRun> | TRun;
+  appendEvents?: (run: TRun, chunk: TChunk) => Promise<void> | void;
+  persistTranscriptChunk?: (run: TRun, chunk: TChunk) => Promise<void> | void;
+  persistTranscriptTerminalState?: (
+    run: TRun,
+    terminalState: HostedLifecycleTerminalState,
+  ) => Promise<void> | void;
+  onTerminalState?: (
+    run: TRun,
+    terminalState: HostedLifecycleTerminalState,
+  ) => Promise<void> | void;
+  finalizeRun?: (run: TRun, terminalState: HostedLifecycleTerminalState) => Promise<void> | void;
+  cancelRun?: (run: TRun, terminalState: HostedLifecycleTerminalState) => Promise<void> | void;
+}
+
+export interface HostedLifecycleRunnerOptions<TRun, TChunk> {
+  abortSignal: AbortSignal;
+  execution: HostedLifecycleExecution<TChunk>;
+  adapter: HostedLifecycleAdapter<TRun, TChunk>;
+  resolveTerminalState: () => Promise<HostedLifecycleTerminalState> | HostedLifecycleTerminalState;
+  resolveErrorTerminalState?: (
+    error: unknown,
+  ) => Promise<HostedLifecycleTerminalState> | HostedLifecycleTerminalState;
+}
+
+export interface HostedLifecycleRunResult<TRun> {
+  run: TRun;
+  terminalState: HostedLifecycleTerminalState;
+}
+
+function getTerminalErrorMessage(error: unknown): string {
+  return error instanceof Error ? error.message : String(error);
+}
+
+function defaultErrorTerminalState(
+  abortSignal: AbortSignal,
+  error: unknown,
+): HostedLifecycleTerminalState {
+  if (abortSignal.aborted) {
+    return {
+      status: "cancelled",
+      terminalErrorCode: "ABORTED",
+      terminalErrorMessage: getTerminalErrorMessage(error),
+    };
+  }
+
+  return {
+    status: "failed",
+    terminalErrorCode: "STREAM_ERROR",
+    terminalErrorMessage: getTerminalErrorMessage(error),
+  };
+}
+
+async function captureHookError(
+  callback: (() => Promise<void> | void) | undefined,
+): Promise<unknown | null> {
+  if (!callback) {
+    return null;
+  }
+
+  try {
+    await callback();
+    return null;
+  } catch (error) {
+    return error;
+  }
+}
+
+async function runTerminalHooks<TRun, TChunk>(input: {
+  run: TRun;
+  terminalState: HostedLifecycleTerminalState;
+  adapter: HostedLifecycleAdapter<TRun, TChunk>;
+}): Promise<void> {
+  let firstHookError: unknown | null = null;
+
+  const persistError = await captureHookError(() =>
+    input.adapter.persistTranscriptTerminalState?.(input.run, input.terminalState)
+  );
+  if (persistError) {
+    firstHookError = persistError;
+  }
+
+  const terminalObserverError = await captureHookError(() =>
+    input.adapter.onTerminalState?.(input.run, input.terminalState)
+  );
+  if (!firstHookError && terminalObserverError) {
+    firstHookError = terminalObserverError;
+  }
+
+  const terminalControlError = await captureHookError(() =>
+    input.terminalState.status === "cancelled"
+      ? input.adapter.cancelRun?.(input.run, input.terminalState)
+      : input.adapter.finalizeRun?.(input.run, input.terminalState)
+  );
+
+  if (firstHookError) {
+    throw firstHookError;
+  }
+
+  if (terminalControlError) {
+    throw terminalControlError;
+  }
+}
+
+export async function runHostedLifecycle<TRun, TChunk>(
+  options: HostedLifecycleRunnerOptions<TRun, TChunk>,
+): Promise<HostedLifecycleRunResult<TRun>> {
+  const run = await options.adapter.startRun({ abortSignal: options.abortSignal });
+
+  try {
+    for await (const chunk of options.execution.stream) {
+      await options.adapter.appendEvents?.(run, chunk);
+      await options.adapter.persistTranscriptChunk?.(run, chunk);
+    }
+
+    await options.execution.waitForFinish();
+  } catch (error) {
+    const terminalState = options.resolveErrorTerminalState
+      ? await options.resolveErrorTerminalState(error)
+      : defaultErrorTerminalState(options.abortSignal, error);
+
+    await runTerminalHooks({
+      run,
+      terminalState,
+      adapter: options.adapter,
+    }).catch(() => undefined);
+
+    throw error;
+  }
+
+  const terminalState = await options.resolveTerminalState();
+  await runTerminalHooks({
+    run,
+    terminalState,
+    adapter: options.adapter,
+  });
+
+  return { run, terminalState };
+}

package/src/src/agent/index.ts

@@ -180,6 +180,21 @@ export {
   createAgUiBrowserResponseStream,
   type CreateAgUiBrowserResponseStreamInput,
 } from "./ag-ui-browser-response-stream.js";
+export {
+  type HostedChildLifecycleAdapter,
+  type HostedChildLifecycleRunnerOptions,
+  type HostedChildLifecycleRunResult,
+  type HostedChildLifecycleTerminalState,
+  runHostedChildLifecycle,
+} from "./hosted-child-lifecycle.js";
+export {
+  type HostedLifecycleAdapter,
+  type HostedLifecycleExecution,
+  type HostedLifecycleRunnerOptions,
+  type HostedLifecycleRunResult,
+  type HostedLifecycleTerminalState,
+  runHostedLifecycle,
+} from "./hosted-lifecycle.js";
 export {
   mergeToolCallInput,
   mergeToolInputDelta,

package/src/src/agent/runtime/sse-utils.ts

@@ -20,7 +20,15 @@ export function sendSSE(
   encoder: TextEncoder,
   event: Record<string, unknown>,
 ): void {
-  controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}\n\n`));
+  try {
+    controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}\n\n`));
+  } catch (error) {
+    if (isClosedStreamControllerError(error)) {
+      return;
+    }
+
+    throw error;
+  }
 }
 
 export function closeSSEStream(controller: ReadableStreamDefaultController): void {

package/src/src/channels/control-plane.ts

@@ -294,6 +294,58 @@ export async function listRuntimeAgents(
   return RuntimeAgentListResponseSchema.parse({ agents });
 }
 
+/**
+ * Verify the Ed25519 signature of a dispatch JWS and the recency of its
+ * timestamps, without binding to a particular request body or audience.
+ *
+ * This is intentionally weaker than {@link verifyDispatchJws}: it answers
+ * "was this JWS minted by a holder of the control-plane private key and is it
+ * still fresh?" and is used as a trust signal in code paths (proxy-trust,
+ * adapter selection) that don't yet have access to the authoritative request
+ * body or project audience. Callers that consume request payloads MUST still
+ * call {@link verifyDispatchJws} / {@link verifyControlPlaneJws} to bind the
+ * signature to the body and project.
+ *
+ * Returns true iff the signature verifies and `iat`/`exp` are within the
+ * allowed skew and max-age window. All other failures (including parsing
+ * errors) resolve to false so callers can treat the signal as present-but-not-
+ * proven without raising.
+ */
+export async function verifyDispatchJwsSignature(
+  jws: string,
+  options: {
+    publicKeyPem: string;
+    maxAgeSeconds: number;
+  },
+): Promise<boolean> {
+  try {
+    const parts = jws.split(".");
+    if (parts.length !== 3) return false;
+    const [encodedHeader, encodedPayload, encodedSignature] = parts;
+    if (!encodedHeader || !encodedPayload || !encodedSignature) return false;
+
+    compactJwsHeaderSchema.parse(parseCompactJwsPart(encodedHeader));
+    const claims = dispatchClaimsSchema.parse(parseCompactJwsPart(encodedPayload));
+
+    const signingInput = new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`);
+    const signature = base64urlDecodeToBytes(encodedSignature);
+    const publicKey = await importEd25519PublicKey(options.publicKeyPem);
+    const verified = await dntShim.crypto.subtle.verify("Ed25519", publicKey, signature, signingInput);
+    if (!verified) return false;
+
+    if (claims.iss !== "veryfront-api") return false;
+
+    const now = Math.floor(Date.now() / 1000);
+    if (claims.exp <= now) return false;
+    if (claims.iat > now + SIGNATURE_SKEW_SECONDS) return false;
+    if (now - claims.iat > options.maxAgeSeconds) return false;
+
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 export async function verifyDispatchJws(
   jws: string,
   body: string,

package/src/src/channels/invoke.ts

@@ -153,7 +153,7 @@ export async function listChannelAssistants(
 
   return ChannelAssistantsResponseSchema.parse({ assistants });
 }
-export { verifyDispatchJws } from "./control-plane.js";
+export { verifyDispatchJws, verifyDispatchJwsSignature } from "./control-plane.js";
 
 function normalizeConversationPart(
   part: z.infer<typeof rawHistoryPartSchema>,

package/src/src/server/handlers/preview/hmr.handler.ts

@@ -29,6 +29,8 @@ import {
 import { getPingIntervalMs, startPingInterval, stopPingInterval } from "./hmr-ping-keepalive.js";
 import { broadcastUpdate, getMetrics } from "./hmr-message-router.js";
 import { getEffectiveRequestHost } from "../../utils/request-host.js";
+import { isProxyTrusted } from "../../utils/proxy-trust.js";
+import { getHostEnv } from "../../../platform/compat/process.js";
 
 const logger = serverLogger.component("hmr-handler");
 
@@ -89,14 +91,24 @@ export class HMRHandler extends BaseHandler {
     });
   }
 
-  handle(req: Request, ctx: HandlerContext): Promise<HandlerResult> {
-    if (!this.shouldHandle(req, ctx)) return Promise.resolve(this.continue());
+  async handle(req: Request, ctx: HandlerContext): Promise<HandlerResult> {
+    if (!this.shouldHandle(req, ctx)) return this.continue();
 
     const url = new URL(req.url);
     const queryEnv = url.searchParams.get("x-environment");
     const isPreviewMode = ctx.requestContext?.mode === "preview" || queryEnv === "preview";
     const isLocal = !!ctx.isLocalProject;
-    const host = getEffectiveRequestHost(req, url);
+    // SECURITY: x-forwarded-host is client-controlled unless we trust the upstream proxy.
+    // Honouring it unconditionally lets any remote client present `x-forwarded-host: localhost`
+    // and unlock the localhost short-circuit that opens HMR (VULN-SRV-4). Only consult
+    // forwarded headers when the request is proxy-trusted; otherwise use Host / url.host.
+    // Proxy trust requires a verifiable dispatch JWS (or operator opt-in) — mere header
+    // presence is not enough, since `x-veryfront-dispatch-jws` is not stripped on ingress.
+    const publicKeyPem = ctx.adapter?.env?.get("CHANNEL_DISPATCH_SIGNING_PUBLIC_KEY") ??
+      getHostEnv("CHANNEL_DISPATCH_SIGNING_PUBLIC_KEY");
+    const host = (await isProxyTrusted(req, { publicKeyPem }))
+      ? getEffectiveRequestHost(req, url)
+      : (req.headers.get("host") ?? url.host);
     const isLocalhost = isLocalDevHost(host);
 
     if (!isPreviewMode && !isLocal && !isLocalhost) {
@@ -109,7 +121,7 @@ export class HMRHandler extends BaseHandler {
         isLocal,
         isLocalhost,
       });
-      return Promise.resolve(this.continue());
+      return this.continue();
     }
 
     HMRHandler.initialize();
@@ -127,29 +139,25 @@ export class HMRHandler extends BaseHandler {
     }
 
     if (req.headers.get("upgrade")?.toLowerCase() !== "websocket") {
-      return Promise.resolve(
-        this.respond(
-          new Response(
-            JSON.stringify({
-              status: "ok",
-              clients: getClientCount(),
-              clientDetails: getClientDetails(),
-              metrics: {
-                ...getMetrics(),
-                reloadNotifierMetrics: ReloadNotifier.getMetrics(),
-              },
-              message: "HMR WebSocket endpoint - connect via WebSocket",
-            }),
-            { headers: { "content-type": "application/json" } },
-          ),
+      return this.respond(
+        new Response(
+          JSON.stringify({
+            status: "ok",
+            clients: getClientCount(),
+            clientDetails: getClientDetails(),
+            metrics: {
+              ...getMetrics(),
+              reloadNotifierMetrics: ReloadNotifier.getMetrics(),
+            },
+            message: "HMR WebSocket endpoint - connect via WebSocket",
+          }),
+          { headers: { "content-type": "application/json" } },
         ),
       );
     }
 
     if (!ctx.adapter?.server) {
-      return Promise.resolve(
-        this.respond(new Response("WebSocket not supported", { status: 501 })),
-      );
+      return this.respond(new Response("WebSocket not supported", { status: 501 }));
     }
 
     try {
@@ -234,12 +242,10 @@ export class HMRHandler extends BaseHandler {
         totalClients: getClientCount(),
       });
 
-      return Promise.resolve(this.respond(response));
+      return this.respond(response);
     } catch (error) {
       logger.error("WebSocket upgrade failed", { error });
-      return Promise.resolve(
-        this.respond(new Response("WebSocket upgrade failed", { status: 500 })),
-      );
+      return this.respond(new Response("WebSocket upgrade failed", { status: 500 }));
     }
   }