@portel/photon 1.18.0 → 1.20.0

package/dist/server.js

@@ -8,10 +8,9 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
 import { CallToolRequestSchema, ListToolsRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema, ListResourcesRequestSchema, ListResourceTemplatesRequestSchema, ReadResourceRequestSchema, GetTaskRequestSchema, ListTasksRequestSchema, CancelTaskRequestSchema, GetTaskPayloadRequestSchema, } from '@modelcontextprotocol/sdk/types.js';
-import { readFileSync } from 'node:fs';
 import { readText } from './shared/io.js';
-import * as path from 'node:path';
 import { createServer } from 'node:http';
+import * as path from 'node:path';
 import { URL } from 'node:url';
 import { PhotonLoader } from './loader.js';
 import { generateExecutionId } from '@portel/photon-core';
@@ -21,14 +20,15 @@ import { createLogger } from './shared/logger.js';
 import { getErrorMessage, formatToolError } from './shared/error-handler.js';
 import { validateOrThrow, assertString, notEmpty, inRange, oneOf, hasExtension, } from './shared/validation.js';
 import { generatePlaygroundHTML } from './auto-ui/playground-html.js';
-import { subscribeChannel, pingDaemon, publishToChannel } from './daemon/client.js';
+import { pingDaemon } from './daemon/client.js';
 import { isGlobalDaemonRunning, startGlobalDaemon } from './daemon/manager.js';
+import { ChannelManager, } from './channel-manager.js';
 import { PhotonDocExtractor } from './photon-doc-extractor.js';
-import { isLocalRequest, readBody, setSecurityHeaders } from './shared/security.js';
+import { isLocalRequest, readBody, setSecurityHeaders, getCorsOrigin } from './shared/security.js';
 import { audit } from './shared/audit.js';
-import { createTask, getTask, updateTask, listTasks, registerController, getController, unregisterController, } from './tasks/store.js';
-import { toWireFormat, relatedTaskMeta, TERMINAL_STATES } from './tasks/types.js';
-import { runTaskExecution, resolveTaskInput, waitForTerminalOrInput } from './tasks/executor.js';
+import { TaskExecutor } from './task-executor.js';
+import { CapabilityNegotiator } from './capability-negotiator.js';
+import { ResourceServer } from './resource-server.js';
 export class HotReloadDisabledError extends Error {
     constructor(message) {
         super(message);
@@ -105,20 +105,24 @@ class BeamCompatTransport {
         }
         // Otherwise push to SSE stream if connected
         if (this.sseResponse && !this.sseResponse.writableEnded) {
-            this.sseResponse.write(`data: ${JSON.stringify(message)}\n\n`);
+            const id = message.id ?? crypto.randomUUID();
+            this.sseResponse.write(`event: message\nid: ${id}\ndata: ${JSON.stringify(message)}\n\n`);
         }
     }
     async handleHTTP(req, res, url) {
+        const corsOrigin = getCorsOrigin(req);
         // GET — open SSE stream for server-to-client notifications
         if (req.method === 'GET') {
             this.sseResponse = res;
-            res.writeHead(200, {
+            const sseHeaders = {
                 'Content-Type': 'text/event-stream',
                 'Cache-Control': 'no-cache',
                 Connection: 'keep-alive',
-                'Access-Control-Allow-Origin': '*',
                 'Mcp-Session-Id': this.sessionId,
-            });
+            };
+            if (corsOrigin)
+                sseHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+            res.writeHead(200, sseHeaders);
             // Send initial event so the client knows connection is established
             res.write(':connected\n\n');
             // Send keepalive every 15s
@@ -170,12 +174,14 @@ class BeamCompatTransport {
                             try {
                                 const result = await this.subPhotonExecutor(targetPhoton, methodName, parsed.params.arguments || {});
                                 const response = { jsonrpc: '2.0', id: parsed.id, result };
-                                res.writeHead(200, {
+                                const subHeaders = {
                                     'Content-Type': 'application/json',
-                                    'Access-Control-Allow-Origin': '*',
                                     'Access-Control-Expose-Headers': 'Mcp-Session-Id',
                                     'Mcp-Session-Id': this.sessionId,
-                                });
+                                };
+                                if (corsOrigin)
+                                    subHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                                res.writeHead(200, subHeaders);
                                 res.end(JSON.stringify(response));
                                 return;
                             }
@@ -188,10 +194,12 @@ class BeamCompatTransport {
                                         isError: true,
                                     },
                                 };
-                                res.writeHead(200, {
+                                const errHeaders = {
                                     'Content-Type': 'application/json',
-                                    'Access-Control-Allow-Origin': '*',
-                                });
+                                };
+                                if (corsOrigin)
+                                    errHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                                res.writeHead(200, errHeaders);
                                 res.end(JSON.stringify(response));
                                 return;
                             }
@@ -204,7 +212,12 @@ class BeamCompatTransport {
             // Notifications have no id — fire-and-forget
             if (parsed.id === undefined) {
                 this.onmessage?.(parsed, { sessionId: this.sessionId });
-                res.writeHead(202);
+                const notifHeaders = {
+                    'Mcp-Session-Id': this.sessionId,
+                };
+                if (corsOrigin)
+                    notifHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                res.writeHead(202, notifHeaders);
                 res.end();
                 return;
             }
@@ -213,22 +226,30 @@ class BeamCompatTransport {
                 this.pendingResponse = resolve;
                 this.onmessage?.(parsed, { sessionId: this.sessionId });
             });
-            res.writeHead(200, {
+            const resHeaders = {
                 'Content-Type': 'application/json',
-                'Access-Control-Allow-Origin': '*',
                 'Access-Control-Expose-Headers': 'Mcp-Session-Id',
                 'Mcp-Session-Id': this.sessionId,
-            });
+            };
+            if (corsOrigin)
+                resHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+            res.writeHead(200, resHeaders);
             res.end(JSON.stringify(response));
             return;
         }
         // DELETE — session termination (spec compliance)
         if (req.method === 'DELETE') {
-            res.writeHead(200);
+            const delHeaders = {};
+            if (corsOrigin)
+                delHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+            res.writeHead(200, delHeaders);
             res.end();
             return;
         }
-        res.writeHead(405);
+        const methodHeaders = {};
+        if (corsOrigin)
+            methodHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+        res.writeHead(405, methodHeaders);
         res.end('Method not allowed');
     }
 }
@@ -236,6 +257,7 @@ export class PhotonServer {
     loader;
     mcp = null;
     server;
+    taskExecutor;
     options;
     mcpClientFactory = null;
     httpServer = null;
@@ -244,7 +266,7 @@ export class PhotonServer {
     hotReloadDisabled = false;
     lastReloadError;
     statusClients = new Set();
-    channelUnsubscribers = [];
+    channelManager;
     daemonName = null;
     /** Tracked instance name for daemon drift recovery (STDIO path) */
     daemonInstanceName;
@@ -252,19 +274,12 @@ export class PhotonServer {
     sseInstanceNames = new Map();
     /** Whether client capabilities have been logged (one-time on first tools/list) */
     clientCapabilitiesLogged = false;
-    /**
-     * Raw client capabilities captured from the initialize request BEFORE Zod parsing.
-     *
-     * The MCP SDK uses Zod to validate incoming requests, which strips unknown fields
-     * from ClientCapabilities. Notably, `extensions` (protocol 2025-11-25+) is not in
-     * the SDK's Zod schema yet, so `getClientCapabilities()` returns an object without
-     * it. Real clients like Claude Desktop and ChatGPT send UI capability under
-     * `extensions`, not `experimental`. We intercept the raw JSON-RPC message to
-     * capture the full capabilities before Zod strips them.
-     *
-     * Key: Server instance → Value: raw capabilities object from initialize request
-     */
-    rawClientCapabilities = new WeakMap();
+    /** Client capability detection and negotiation */
+    capabilityNegotiator = new CapabilityNegotiator();
+    /** Compatibility alias for tests that seed raw capabilities directly on PhotonServer */
+    rawClientCapabilities = this.capabilityNegotiator.rawClientCapabilities;
+    /** Resource listing, reading, and asset serving */
+    resourceServer;
     currentStatus = {
         type: 'info',
         message: 'Ready',
@@ -309,10 +324,36 @@ export class PhotonServer {
             baseLoggerOptions.scope = this.devMode ? 'dev' : 'runtime';
         }
         this.logger = createLogger(baseLoggerOptions);
-        this.loader = new PhotonLoader(true, this.logger.child({ component: 'photon-loader', scope: 'loader' }), options.workingDir);
+        const loaderVerbose = (baseLoggerOptions.level ?? 'info') !== 'warn' &&
+            (baseLoggerOptions.level ?? 'info') !== 'error';
+        this.loader = new PhotonLoader(loaderVerbose, this.logger.child({ component: 'photon-loader', scope: 'loader' }), options.workingDir);
+        // Initialize ChannelManager — owns all channel/pub-sub logic
+        // The sink is wired up lazily because `this.server` doesn't exist yet
+        const channelSink = {
+            sendNotification: async (notification) => {
+                await this.server.notification(notification);
+            },
+            sendNotificationToAllSessions: async (notification) => {
+                for (const session of Array.from(this.sseSessions.values())) {
+                    await session.server.notification(notification);
+                }
+            },
+            getPhotonInstance: () => this.mcp,
+        };
+        this.channelManager = new ChannelManager({
+            channelOptions: {
+                channelMode: options.channelMode,
+                channelName: options.channelName,
+                channelTargets: options.channelTargets,
+                channelInstructions: options.channelInstructions,
+            },
+            workingDir: options.workingDir,
+            sink: channelSink,
+            log: (level, message, data) => this.log(level, message, data),
+        });
         // Create MCP server instance
         this.server = new Server({
-            name: 'photon-mcp',
+            name: this.channelManager.getServerName(),
             version: PHOTON_VERSION,
         }, {
             capabilities: {
@@ -333,9 +374,24 @@ export class PhotonServer {
                         tools: { call: {} },
                     },
                 },
-                // Note: Server doesn't declare elicitation capability - that's a client capability
-                // The server uses elicitInput() when the client has elicitation support
+                // Channel capabilities (experimental) — delegated to ChannelManager
+                ...this.channelManager.getExtraCapabilities(),
             },
+            // Channel instructions
+            ...this.channelManager.getExtraServerOptions(),
+        });
+        // Task executor — handles MCP Tasks protocol (spec v2025-11-25)
+        this.taskExecutor = new TaskExecutor((level, message, meta) => this.log(level, message, meta), {
+            executeTool: (photon, toolName, args, opts) => this.loader.executeTool(photon, toolName, args, opts),
+        }, { createMCPInputProvider: (server) => this.createMCPInputProvider(server) });
+        // Resource server — handles ListResources, ReadResource, asset serving
+        this.resourceServer = new ResourceServer({
+            executeTool: (photon, toolName, args) => this.loader.executeTool(photon, toolName, args),
+            getLoadedPhotons: () => this.loader.getLoadedPhotons(),
+        }, {
+            filePath: options.filePath,
+            embeddedAssets: options.embeddedAssets,
+            embeddedUITemplates: options.embeddedUITemplates,
         });
         // Set up protocol handlers
         this.setupHandlers();
@@ -350,121 +406,11 @@ export class PhotonServer {
         this.logger.log(level, message, meta);
     }
     /**
-     * Build UI resource URI based on detected format
+     * Send a permission response back to the client.
+     * Delegates to ChannelManager.
      */
-    buildUIResourceUri(uiId) {
-        const photonName = this.mcp?.name || 'unknown';
-        return `ui://${photonName}/${uiId}`;
-    }
-    /**
-     * Build tool metadata for UI based on detected format
-     */
-    buildUIToolMeta(uiId) {
-        const uri = this.buildUIResourceUri(uiId);
-        return { ui: { resourceUri: uri } };
-    }
-    static ICON_MIME_TYPES = {
-        '.png': 'image/png',
-        '.jpg': 'image/jpeg',
-        '.jpeg': 'image/jpeg',
-        '.gif': 'image/gif',
-        '.svg': 'image/svg+xml',
-        '.webp': 'image/webp',
-        '.ico': 'image/x-icon',
-    };
-    /** Cached resolved icons per tool name */
-    resolvedIconsCache = new Map();
-    /**
-     * Resolve raw icon image paths to MCP Icon[] format (data URIs).
-     * Results are cached so file I/O only happens once per tool.
-     */
-    resolveIconImages(iconImages) {
-        const cacheKey = iconImages.map((i) => i.path).join('|');
-        const cached = this.resolvedIconsCache.get(cacheKey);
-        if (cached)
-            return cached;
-        const photonDir = path.dirname(this.options.filePath);
-        const icons = [];
-        for (const entry of iconImages) {
-            try {
-                const resolvedPath = path.resolve(photonDir, entry.path);
-                const ext = path.extname(resolvedPath).toLowerCase();
-                const mimeType = PhotonServer.ICON_MIME_TYPES[ext];
-                if (!mimeType)
-                    continue;
-                const data = readFileSync(resolvedPath);
-                const dataUri = `data:${mimeType};base64,${data.toString('base64')}`;
-                const icon = {
-                    src: dataUri,
-                    mimeType,
-                };
-                if (entry.sizes)
-                    icon.sizes = entry.sizes;
-                if (entry.theme)
-                    icon.theme = entry.theme;
-                icons.push(icon);
-            }
-            catch {
-                // Skip unreadable icon files silently
-            }
-        }
-        this.resolvedIconsCache.set(cacheKey, icons);
-        return icons;
-    }
-    /**
-     * Get UI mimeType based on detected format and client capabilities
-     */
-    getUIMimeType() {
-        return 'text/html;profile=mcp-app';
-    }
-    /**
-     * Check if client supports elicitation
-     *
-     * Elicitation is a client capability declared during initialization.
-     * The server can use elicitInput() when the client supports it.
-     */
-    clientSupportsElicitation(server) {
-        const targetServer = server || this.server;
-        const capabilities = targetServer.getClientCapabilities();
-        if (!capabilities) {
-            return false;
-        }
-        // Check for elicitation capability (MCP 2025-06 spec)
-        return !!capabilities.elicitation;
-    }
-    static MCP_UI_CAPABILITY = 'io.modelcontextprotocol/ui';
-    /**
-     * Check if client supports MCP Apps UI (structuredContent + _meta.ui)
-     *
-     * Looks for the "io.modelcontextprotocol/ui" capability in the client's
-     * initialize handshake. Any MCP client that advertises this capability
-     * gets rich UI responses — Claude Desktop, ChatGPT, MCPJam, etc.
-     *
-     * The capability may appear under `experimental` (older SDK types) or
-     * `extensions` (protocol version 2025-11-25+). We check both so it
-     * just works regardless of which field the client uses.
-     *
-     * Beam is special-cased because it's our own SSE transport where the
-     * capability is implicit.
-     */
-    clientSupportsUI(server) {
-        const targetServer = server || this.server;
-        // Check SDK-parsed capabilities (works for `experimental` which is in the Zod schema)
-        const capabilities = targetServer.getClientCapabilities();
-        if (capabilities?.experimental?.[PhotonServer.MCP_UI_CAPABILITY]) {
-            return true;
-        }
-        // Check raw capabilities captured before Zod parsing (needed for `extensions`
-        // which the SDK's Zod schema strips — Claude Desktop and ChatGPT use this field)
-        const raw = this.rawClientCapabilities.get(targetServer);
-        if (raw?.extensions?.[PhotonServer.MCP_UI_CAPABILITY]) {
-            return true;
-        }
-        // Beam is our own transport — UI support is implicit
-        const clientInfo = targetServer.getClientVersion();
-        if (clientInfo?.name === 'beam')
-            return true;
-        return false;
+    respondToPermission(response) {
+        this.channelManager.respondToPermission(response);
     }
     /**
      * Log client identity and capabilities for debugging tier detection
@@ -472,8 +418,8 @@ export class PhotonServer {
     logClientCapabilities(server) {
         const clientInfo = server.getClientVersion();
         const capabilities = server.getClientCapabilities();
-        const supportsUI = this.clientSupportsUI(server);
-        const supportsElicitation = this.clientSupportsElicitation(server);
+        const supportsUI = this.capabilityNegotiator.supportsUI(server);
+        const supportsElicitation = this.capabilityNegotiator.supportsElicitation(server);
         this.log('debug', 'Client connected', {
             name: clientInfo?.name ?? 'unknown',
             version: clientInfo?.version ?? 'unknown',
@@ -492,7 +438,7 @@ export class PhotonServer {
     createMCPInputProvider(server) {
         const targetServer = server || this.server;
         const capabilities = targetServer.getClientCapabilities();
-        const supportsElicitation = this.clientSupportsElicitation(server);
+        const supportsElicitation = this.capabilityNegotiator.supportsElicitation(targetServer);
         this.log('debug', 'Creating MCP input provider', {
             supportsElicitation,
             capabilities: JSON.stringify(capabilities),
@@ -789,13 +735,13 @@ export class PhotonServer {
                 toolDef.outputSchema = schema.outputSchema;
             // MCP tool icons (resolve image paths to data URIs)
             if (tool.iconImages && tool.iconImages.length > 0) {
-                const icons = this.resolveIconImages(tool.iconImages);
+                const icons = this.resourceServer.resolveIconImages(tool.iconImages);
                 if (icons.length > 0)
                     toolDef.icons = icons;
             }
             const linkedUI = this.mcp?.assets?.ui.find((u) => u.linkedTool === tool.name || u.linkedTools?.includes(tool.name));
-            if (linkedUI && this.clientSupportsUI(ctx.server)) {
-                toolDef._meta = this.buildUIToolMeta(linkedUI.id);
+            if (linkedUI && this.capabilityNegotiator.supportsUI(ctx.server)) {
+                toolDef._meta = this.resourceServer.buildUIToolMeta(this.mcp.name, linkedUI.id);
             }
             return toolDef;
         });
@@ -863,7 +809,7 @@ export class PhotonServer {
             // Elicitation-based instance selection when _use called without name
             if (toolName === '_use' &&
                 (!args || !('name' in args)) &&
-                this.clientSupportsElicitation(ctx.server)) {
+                this.capabilityNegotiator.supportsElicitation(ctx.server)) {
                 const instancesResult = (await sendCommand(this.daemonName, '_instances', {}, sendOpts));
                 const instances = instancesResult?.instances || ['default'];
                 const options = instances.map((inst) => ({
@@ -928,11 +874,7 @@ export class PhotonServer {
         // Handler for channel events - forward to daemon for cross-process pub/sub
         const outputHandler = (emit) => {
             // Forward channel events to daemon for cross-process pub/sub
-            if (this.daemonName && emit?.channel) {
-                publishToChannel(this.daemonName, emit.channel, emit, this.options.workingDir).catch(() => {
-                    // Ignore publish errors - daemon may not be running
-                });
-            }
+            this.channelManager.publishIfChannel(emit);
             // Forward emit yields as MCP progress notifications to STDIO client
             if (emit?.emit === 'progress') {
                 const rawValue = typeof emit.value === 'number' ? emit.value : 0;
@@ -1074,12 +1016,12 @@ export class PhotonServer {
         }
         // Enrich response with structuredContent + _meta for tools with linked UIs
         const linkedUI = this.mcp?.assets?.ui.find((u) => u.linkedTool === toolName || u.linkedTools?.includes(toolName));
-        if (linkedUI && this.clientSupportsUI(ctx.server)) {
+        if (linkedUI && this.capabilityNegotiator.supportsUI(ctx.server)) {
             if (actualResult !== undefined && actualResult !== null) {
                 response.structuredContent =
                     typeof actualResult === 'string' ? { text: actualResult } : actualResult;
             }
-            const uiMeta = this.buildUIToolMeta(linkedUI.id);
+            const uiMeta = this.resourceServer.buildUIToolMeta(this.mcp.name, linkedUI.id);
             response._meta = { ...response._meta, ...uiMeta };
         }
         return response;
@@ -1114,122 +1056,6 @@ export class PhotonServer {
         const result = await this.loader.executeTool(this.mcp, promptName, args || {});
         return this.formatTemplateResult(result);
     }
-    handleListResources(ctx) {
-        if (!this.mcp) {
-            return { resources: [] };
-        }
-        const staticResources = this.mcp.statics.filter((s) => !this.isUriTemplate(s.uri));
-        const resources = staticResources.map((static_) => ({
-            uri: static_.uri,
-            name: static_.name,
-            description: static_.description,
-            mimeType: static_.mimeType || 'text/plain',
-        }));
-        if (this.mcp.assets) {
-            const photonName = this.mcp.name;
-            for (const ui of this.mcp.assets.ui) {
-                const uiUri = ui.uri || this.buildUIResourceUri(ui.id);
-                resources.push({
-                    uri: uiUri,
-                    name: `ui:${ui.id}`,
-                    description: ui.linkedTool
-                        ? `UI template for ${ui.linkedTool} tool`
-                        : `UI template: ${ui.id}`,
-                    // Always use MCP Apps mime type for UI resources — photon-core's
-                    // getMimeTypeFromPath returns plain text/html which causes Claude
-                    // Desktop to skip rendering the app UI
-                    mimeType: this.getUIMimeType(),
-                });
-            }
-            for (const prompt of this.mcp.assets.prompts) {
-                resources.push({
-                    uri: `photon://${photonName}/prompts/${prompt.id}`,
-                    name: `prompt:${prompt.id}`,
-                    description: prompt.description || `Prompt template: ${prompt.id}`,
-                    mimeType: 'text/markdown',
-                });
-            }
-            for (const resource of this.mcp.assets.resources) {
-                resources.push({
-                    uri: `photon://${photonName}/resources/${resource.id}`,
-                    name: `resource:${resource.id}`,
-                    description: resource.description || `Static resource: ${resource.id}`,
-                    mimeType: resource.mimeType || 'application/octet-stream',
-                });
-            }
-        }
-        // Include sub-photon UI resources (compiled binary mode)
-        if (this.options.embeddedAssets) {
-            const allLoaded = this.loader.getLoadedPhotons();
-            for (const [, loaded] of allLoaded) {
-                if (loaded.name === this.mcp.name)
-                    continue;
-                if (loaded.assets?.ui) {
-                    for (const ui of loaded.assets.ui) {
-                        const uiUri = ui.uri || `ui://${loaded.name}/${ui.id}`;
-                        resources.push({
-                            uri: uiUri,
-                            name: `ui:${ui.id}`,
-                            description: ui.linkedTool
-                                ? `UI template for ${loaded.name}/${ui.linkedTool}`
-                                : `UI template: ${loaded.name}/${ui.id}`,
-                            mimeType: ui.mimeType || this.getUIMimeType(),
-                        });
-                    }
-                }
-            }
-        }
-        return { resources };
-    }
-    handleListResourceTemplates() {
-        if (!this.mcp) {
-            return { resourceTemplates: [] };
-        }
-        const templateResources = this.mcp.statics.filter((s) => this.isUriTemplate(s.uri));
-        return {
-            resourceTemplates: templateResources.map((static_) => ({
-                uriTemplate: static_.uri,
-                name: static_.name,
-                description: static_.description,
-                mimeType: static_.mimeType || 'text/plain',
-            })),
-        };
-    }
-    async handleReadResource(request) {
-        if (!this.mcp) {
-            throw new Error('MCP not loaded');
-        }
-        const { uri: rawUri } = request.params;
-        const uri = typeof rawUri === 'string'
-            ? rawUri.replace(/^ui:\/\/\/([^/]+)\/(.+)$/, 'ui://$1/$2')
-            : rawUri;
-        const uiMatch = uri.match(/^ui:\/\/([^/]+)\/(.+)$/);
-        if (uiMatch) {
-            const [, uiPhotonName, assetId] = uiMatch;
-            // Check main photon first
-            if (this.mcp.assets && uiPhotonName === this.mcp.name) {
-                return this.handleUIAssetRead(uri, assetId);
-            }
-            // Check sub-photons (compiled binary mode)
-            if (this.options.embeddedAssets) {
-                const allLoaded = this.loader.getLoadedPhotons();
-                for (const [, loaded] of allLoaded) {
-                    if (loaded.name === uiPhotonName && loaded.assets?.ui) {
-                        return this.handleUIAssetRead(uri, assetId, loaded);
-                    }
-                }
-            }
-            // Fallback to main photon
-            if (this.mcp.assets) {
-                return this.handleUIAssetRead(uri, assetId);
-            }
-        }
-        const assetMatch = uri.match(/^photon:\/\/([^/]+)\/(ui|prompts|resources)\/(.+)$/);
-        if (assetMatch && this.mcp.assets) {
-            return this.handleAssetRead(uri, assetMatch);
-        }
-        return this.handleStaticRead(uri);
-    }
     // ─── Transport-specific setup ─────────────────────────────────────
     /**
      * Set up MCP protocol handlers (STDIO transport)
@@ -1267,9 +1093,7 @@ export class PhotonServer {
                     const executionId = generateExecutionId();
                     const inputProvider = this.createMCPInputProvider();
                     const outputHandler = (emit) => {
-                        if (this.daemonName && emit?.channel) {
-                            publishToChannel(this.daemonName, emit.channel, emit, this.options.workingDir).catch(() => { });
-                        }
+                        this.channelManager.publishIfChannel(emit);
                         // Forward emit yields as MCP notifications for async tools
                         if (emit?.emit === 'progress' || emit?.emit === 'status') {
                             const rawValue = emit?.emit === 'progress' && typeof emit.value === 'number' ? emit.value : 0;
@@ -1354,22 +1178,7 @@ export class PhotonServer {
             const taskField = request.params?.task;
             if (taskField && this.mcp) {
                 const { name: toolName, arguments: args } = request.params;
-                const ttl = typeof taskField.ttl === 'number' ? taskField.ttl : undefined;
-                const task = createTask(this.mcp.name, toolName, args, ttl);
-                const controller = new AbortController();
-                registerController(task.id, controller);
-                const executeFn = async (taskInputProvider, outputHandler) => {
-                    return this.loader.executeTool(this.mcp, toolName, args || {}, {
-                        outputHandler,
-                        inputProvider: taskInputProvider,
-                    });
-                };
-                runTaskExecution(task.id, executeFn, {
-                    signal: controller.signal,
-                });
-                return {
-                    content: [{ type: 'text', text: JSON.stringify({ task: toWireFormat(task) }, null, 2) }],
-                };
+                return this.taskExecutor.handleTaskModeCall(this.mcp.name, toolName, args || {}, taskField);
             }
             try {
                 return await this.handleCallTool(ctx, request);
@@ -1377,7 +1186,8 @@ export class PhotonServer {
             catch (error) {
                 // STDIO-only: config elicitation retry
                 const { name: toolName, arguments: args } = request.params;
-                if (this.mcp?.instance?._photonConfigError && this.clientSupportsElicitation()) {
+                if (this.mcp?.instance?._photonConfigError &&
+                    this.capabilityNegotiator.supportsElicitation(this.server)) {
                     const retryResult = await this.attemptConfigElicitation(toolName, args || {});
                     if (retryResult)
                         return retryResult;
@@ -1409,136 +1219,26 @@ export class PhotonServer {
             }
         });
         this.server.setRequestHandler(ListResourcesRequestSchema, async () => {
-            return this.handleListResources(ctx);
+            return this.resourceServer.handleListResources(this.mcp);
         });
         this.server.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {
-            return this.handleListResourceTemplates();
+            return this.resourceServer.handleListResourceTemplates(this.mcp);
         });
         this.server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
-            return this.handleReadResource(request);
+            return this.resourceServer.handleReadResource(request, this.mcp);
         });
-        // ── MCP Tasks handlers (2025-11-25 spec) ──
+        // ── MCP Tasks handlers (2025-11-25 spec) — delegated to TaskExecutor ──
         this.server.setRequestHandler(GetTaskRequestSchema, async (request) => {
-            const { taskId } = request.params;
-            const task = getTask(taskId);
-            if (!task)
-                throw new Error(`Task not found: ${taskId}`);
-            return toWireFormat(task);
+            return this.taskExecutor.handleGetTask(request.params.taskId);
         });
         this.server.setRequestHandler(ListTasksRequestSchema, async (request) => {
-            const allTasks = listTasks();
-            const cursor = request.params?.cursor;
-            const offset = cursor ? parseInt(cursor, 10) || 0 : 0;
-            const pageSize = 50;
-            const page = allTasks.slice(offset, offset + pageSize);
-            const nextCursor = offset + pageSize < allTasks.length ? String(offset + pageSize) : undefined;
-            return {
-                tasks: page.map(toWireFormat),
-                ...(nextCursor && { nextCursor }),
-            };
+            return this.taskExecutor.handleListTasks(request.params?.cursor);
         });
         this.server.setRequestHandler(CancelTaskRequestSchema, async (request) => {
-            const { taskId } = request.params;
-            const task = getTask(taskId);
-            if (!task)
-                throw new Error(`Task not found: ${taskId}`);
-            if (TERMINAL_STATES.includes(task.state)) {
-                throw new Error(`Cannot cancel task in terminal state: ${task.state}`);
-            }
-            const controller = getController(taskId);
-            if (controller)
-                controller.abort();
-            const updated = updateTask(taskId, {
-                state: 'cancelled',
-                statusMessage: 'The task was cancelled by request.',
-            });
-            unregisterController(taskId);
-            return toWireFormat(updated);
+            return this.taskExecutor.handleCancelTask(request.params.taskId);
         });
         this.server.setRequestHandler(GetTaskPayloadRequestSchema, async (request) => {
-            const { taskId } = request.params;
-            const task = getTask(taskId);
-            if (!task)
-                throw new Error(`Task not found: ${taskId}`);
-            // Helper to format terminal task result
-            const formatResult = (t) => {
-                if (t.state === 'failed') {
-                    return {
-                        content: [{ type: 'text', text: t.error || 'Task failed' }],
-                        isError: true,
-                        _meta: relatedTaskMeta(taskId),
-                    };
-                }
-                if (t.state === 'cancelled') {
-                    return {
-                        content: [{ type: 'text', text: 'Task was cancelled.' }],
-                        isError: false,
-                        _meta: relatedTaskMeta(taskId),
-                    };
-                }
-                // Completed
-                if (t.result && typeof t.result === 'object' && 'content' in t.result) {
-                    return { ...t.result, _meta: relatedTaskMeta(taskId) };
-                }
-                const text = typeof t.result === 'string' ? t.result : JSON.stringify(t.result ?? null);
-                return {
-                    content: [{ type: 'text', text }],
-                    isError: false,
-                    _meta: relatedTaskMeta(taskId),
-                };
-            };
-            // Already terminal — return immediately
-            if (TERMINAL_STATES.includes(task.state)) {
-                return formatResult(task);
-            }
-            // If input_required, try to get input via elicitation
-            if (task.state === 'input_required' && task.input) {
-                const inputProvider = this.createMCPInputProvider(this.server);
-                try {
-                    const value = await inputProvider(task.input);
-                    resolveTaskInput(taskId, value);
-                }
-                catch {
-                    resolveTaskInput(taskId, null);
-                }
-            }
-            // Block until terminal (max 5 min per call)
-            try {
-                const abortController = new AbortController();
-                const timeout = setTimeout(() => abortController.abort(), 300000);
-                try {
-                    while (true) {
-                        const current = await waitForTerminalOrInput(taskId, abortController.signal);
-                        if (TERMINAL_STATES.includes(current.state)) {
-                            return formatResult(current);
-                        }
-                        if (current.state === 'input_required' && current.input) {
-                            const inputProvider = this.createMCPInputProvider(this.server);
-                            try {
-                                const value = await inputProvider(current.input);
-                                resolveTaskInput(taskId, value);
-                            }
-                            catch {
-                                resolveTaskInput(taskId, null);
-                            }
-                        }
-                    }
-                }
-                finally {
-                    clearTimeout(timeout);
-                }
-            }
-            catch {
-                const current = getTask(taskId);
-                if (current && TERMINAL_STATES.includes(current.state)) {
-                    return formatResult(current);
-                }
-                return {
-                    content: [{ type: 'text', text: `Task ${taskId} is still running.` }],
-                    isError: false,
-                    _meta: relatedTaskMeta(taskId),
-                };
-            }
+            return this.taskExecutor.handleGetTaskPayload(request.params.taskId, this.server);
         });
     }
     /**
@@ -1589,63 +1289,27 @@ export class PhotonServer {
         };
     }
     /**
-     * Format static result to MCP resource response
-     */
-    formatStaticResult(result, mimeType) {
-        const text = typeof result === 'string' ? result : JSON.stringify(result, null, 2);
-        return {
-            contents: [
-                {
-                    uri: '',
-                    mimeType: mimeType || 'text/plain',
-                    text,
-                },
-            ],
-        };
-    }
-    /**
-     * Check if a URI is a template (contains {parameters})
+     * Compatibility wrappers for tests and older internal call sites after
+     * resource helpers moved into ResourceServer.
      */
     isUriTemplate(uri) {
-        return /\{[^}]+\}/.test(uri);
+        return this.resourceServer.isUriTemplate(uri);
     }
-    /**
-     * Match URI pattern with actual URI
-     * Example: github://repos/{owner}/{repo} matches github://repos/foo/bar
-     */
     matchUriPattern(pattern, uri) {
-        // Convert URI pattern to regex
-        // Replace {param} with capturing groups
-        const regexPattern = pattern.replace(/\{[^}]+\}/g, '([^/]+)');
-        const regex = new RegExp(`^${regexPattern}$`);
-        return regex.test(uri);
+        return this.resourceServer.matchUriPattern(pattern, uri);
     }
-    /**
-     * Parse parameters from URI based on pattern
-     * Example: pattern="github://repos/{owner}/{repo}", uri="github://repos/foo/bar"
-     * Returns: { owner: "foo", repo: "bar" }
-     */
     parseUriParams(pattern, uri) {
-        const params = {};
-        // Extract parameter names from pattern
-        const paramNames = [];
-        const paramRegex = /\{([^}]+)\}/g;
-        let match;
-        while ((match = paramRegex.exec(pattern)) !== null) {
-            paramNames.push(match[1]);
-        }
-        // Convert pattern to regex with capturing groups
-        const regexPattern = pattern.replace(/\{[^}]+\}/g, '([^/]+)');
-        const regex = new RegExp(`^${regexPattern}$`);
-        // Extract values from URI
-        const values = uri.match(regex);
-        if (values) {
-            // Skip first element (full match)
-            for (let i = 0; i < paramNames.length; i++) {
-                params[paramNames[i]] = values[i + 1];
-            }
-        }
-        return params;
+        return this.resourceServer.parseUriParams(pattern, uri);
+    }
+    formatStaticResult(result, mimeType) {
+        return this.resourceServer.formatStaticResult(result, mimeType);
+    }
+    clientSupportsUI(server) {
+        return this.capabilityNegotiator.supportsUI(server);
+    }
+    buildUIToolMeta(uiId) {
+        const photonName = this.mcp?.name || path.basename(this.options.filePath, path.extname(this.options.filePath));
+        return this.resourceServer.buildUIToolMeta(photonName, uiId);
     }
     /**
      * Format error for AI consumption
@@ -1722,7 +1386,7 @@ export class PhotonServer {
         if (unresolved.sources.length === 1) {
             selectedSource = unresolved.sources[0];
         }
-        else if (this.clientSupportsElicitation()) {
+        else if (this.capabilityNegotiator.supportsElicitation(this.server)) {
             // Present choices via elicitation
             const sourceLabels = [];
             for (const source of unresolved.sources) {
@@ -1838,11 +1502,7 @@ export class PhotonServer {
             // Retry the original tool call
             const inputProvider = this.createMCPInputProvider();
             const outputHandler = (emit) => {
-                if (this.daemonName && emit?.channel) {
-                    publishToChannel(this.daemonName, emit.channel, emit, this.options.workingDir).catch((e) => {
-                        this.log('debug', 'Publish to channel failed', { error: getErrorMessage(e) });
-                    });
-                }
+                this.channelManager.publishIfChannel(emit);
             };
             const retryResult = await this.loader.executeTool(this.mcp, toolName, args, {
                 inputProvider,
@@ -1863,6 +1523,19 @@ export class PhotonServer {
      * Initialize and start the server
      */
     async start() {
+        // Safety net: catch unhandled errors so a bad photon can't crash the server
+        process.on('uncaughtException', (err) => {
+            this.log('error', 'Uncaught exception in PhotonServer', {
+                error: getErrorMessage(err),
+                stack: err?.stack,
+            });
+        });
+        process.on('unhandledRejection', (reason) => {
+            this.log('error', 'Unhandled rejection in PhotonServer', {
+                error: reason instanceof Error ? getErrorMessage(reason) : String(reason),
+                stack: reason instanceof Error ? reason.stack : undefined,
+            });
+        });
         try {
             // If unresolvedPhoton is set, skip loading — defer to first tool call
             if (this.options.unresolvedPhoton) {
@@ -1887,9 +1560,12 @@ export class PhotonServer {
                 const metadata = await extractor.extractFullMetadata();
                 const isStateful = metadata.stateful;
                 // Start daemon for stateful photons (enables cross-client communication)
+                // Channel mode also uses the daemon — the singleton instance holds the
+                // bot connection, and multiple MCP clients subscribe to its events
                 if (isStateful) {
                     const photonName = metadata.name;
                     this.daemonName = photonName; // Store for subscription
+                    this.channelManager.setDaemonName(photonName);
                     this.log('info', `Stateful photon detected: ${photonName}`);
                     if (!isGlobalDaemonRunning()) {
                         this.log('info', `Starting daemon for ${photonName}...`);
@@ -1921,8 +1597,10 @@ export class PhotonServer {
                     this.mcp = await this.loader.loadFile(this.options.filePath);
                 }
             }
-            // Subscribe to daemon channels for cross-process notifications
-            await this.subscribeToChannels();
+            // Subscribe to daemon channels for cross-process notifications.
+            // In channel mode, ChannelManager intercepts 'channel-push' events
+            // and translates them to notifications/claude/channel for the connected client.
+            await this.channelManager.subscribeToChannels();
             // Start with the appropriate transport
             const transport = this.options.transport || 'stdio';
             if (transport === 'sse') {
@@ -1944,106 +1622,12 @@ export class PhotonServer {
             process.exit(1);
         }
     }
-    /**
-     * Subscribe to daemon channels for cross-process notifications
-     * This enables real-time updates when other processes (e.g., Beam UI, other MCP clients) modify data
-     */
-    async subscribeToChannels() {
-        // Only subscribe if we have a daemon running (stateful photon)
-        if (!this.daemonName)
-            return;
-        try {
-            // Subscribe to wildcard channel for all events from this photon
-            // E.g., "kanban:*" receives "kanban:photon", "kanban:my-board", etc.
-            const unsubscribe = await subscribeChannel(this.daemonName, `${this.daemonName}:*`, (message) => {
-                void this.handleChannelMessage(message);
-            }, { workingDir: this.options.workingDir });
-            this.channelUnsubscribers.push(unsubscribe);
-            this.log('info', `Subscribed to daemon channel: ${this.daemonName}:*`);
-        }
-        catch (error) {
-            this.log('warn', `Failed to subscribe to daemon: ${getErrorMessage(error)}`);
-        }
-    }
-    /**
-     * Handle incoming channel messages and forward as MCP notifications
-     * This enables cross-client real-time updates (e.g., Beam updates show in Claude Desktop)
-     *
-     * Uses standard MCP Apps notification with embedded _photon data:
-     * - Claude Desktop forwards standard notifications (ui/notifications/host-context-changed)
-     * - Photon bridge extracts _photon field and routes to event listeners
-     * - This ensures cross-client sync works without requiring custom protocol support
-     */
-    async handleChannelMessage(message) {
-        if (!message || typeof message !== 'object')
-            return;
-        const msg = message;
-        // Debug logging for cross-client event transmission
-        if (process.env.PHOTON_DEBUG_EVENTS === '1') {
-            console.error(`[PHOTON-SERVER] Received daemon message on ${String(msg.channel)}: event=${String(msg.event)}`);
-        }
-        // Use STANDARD notification with embedded photon data
-        // Claude Desktop will forward this (it's a standard notification)
-        // Our bridge extracts _photon and routes to the appropriate event handler
-        const payload = {
-            method: 'ui/notifications/host-context-changed',
-            params: {
-                // _photon field carries our custom event data
-                _photon: {
-                    photon: this.daemonName,
-                    channel: msg.channel,
-                    event: msg.event,
-                    data: msg.data,
-                },
-            },
-        };
-        try {
-            if (process.env.PHOTON_DEBUG_EVENTS === '1') {
-                console.error(`[PHOTON-SERVER] Sending notification to MCP clients...`);
-            }
-            await this.server.notification(payload);
-            if (process.env.PHOTON_DEBUG_EVENTS === '1') {
-                console.error(`[PHOTON-SERVER] Notification sent successfully`);
-            }
-        }
-        catch (e) {
-            console.error(`[PHOTON-SERVER-ERROR] Notification send failed: ${getErrorMessage(e)}`);
-            this.log('debug', 'Notification send failed', { error: getErrorMessage(e) });
-        }
-        // Also send to SSE sessions — snapshot to avoid live-iterator + await issues
-        for (const session of Array.from(this.sseSessions.values())) {
-            try {
-                await session.server.notification(payload);
-            }
-            catch (e) {
-                this.log('debug', 'Session notification failed', { error: getErrorMessage(e) });
-            }
-        }
-    }
-    /**
-     * Intercept a transport to capture raw client capabilities before Zod strips them.
-     *
-     * The MCP SDK's Zod schema for ClientCapabilities doesn't include `extensions`
-     * (protocol 2025-11-25+), so getClientCapabilities() returns an object without it.
-     * We intercept the transport's onmessage to capture the raw `initialize` request
-     * and store capabilities before Zod parsing occurs.
-     */
-    interceptTransportForRawCapabilities(transport, targetServer) {
-        const origOnMessage = transport.onmessage;
-        transport.onmessage = (message, extra) => {
-            // Capture raw capabilities from initialize request
-            if (message?.method === 'initialize' && message?.params?.capabilities) {
-                this.rawClientCapabilities.set(targetServer, message.params.capabilities);
-            }
-            origOnMessage?.(message, extra);
-        };
-    }
     /**
      * Start server with stdio transport
      */
     async startStdio() {
         const transport = new StdioServerTransport();
-        this.interceptTransportForRawCapabilities(transport, this.server);
+        this.capabilityNegotiator.interceptTransportForRawCapabilities(transport, this.server, (msg) => this.channelManager.interceptPermissionRequest(msg));
         await this.server.connect(transport);
         this.log('info', `Server started: ${this.mcp.name}`);
     }
@@ -2052,15 +1636,16 @@ export class PhotonServer {
      */
     async startSSE() {
         const port = this.options.port || 3000;
-        const useStreamableHTTP = !!this.options.embeddedAssets;
         const ssePath = '/mcp';
         const messagesPath = '/mcp/messages';
-        // For compiled binaries with Beam UI, use a minimal Streamable HTTP transport
-        // that matches what the Beam frontend sends:
-        //   POST /mcp  — JSON-RPC request, Accept: application/json → JSON response
-        //   GET  /mcp?sessionId=X — EventSource for server-to-client notifications
+        // Always use Streamable HTTP transport for SSE mode.
+        // The legacy SSE transport (endpoint event + /mcp/messages?sessionId=) is deprecated
+        // in the MCP spec and not supported by modern clients (e.g. llama.cpp).
+        // Streamable HTTP uses the standard protocol:
+        //   POST /mcp  — JSON-RPC request → JSON response
+        //   GET  /mcp  — SSE stream for server-to-client notifications
         let beamTransport = null;
-        if (useStreamableHTTP) {
+        {
             const photonName = this.mcp?.name || 'photon';
             beamTransport = new BeamCompatTransport(photonName, {
                 description: this.mcp?.description,
@@ -2068,7 +1653,7 @@ export class PhotonServer {
                 stateful: !!this.mcp?.stateful,
                 hasSettings: !!this.mcp?.hasSettings,
             });
-            this.interceptTransportForRawCapabilities(beamTransport, this.server);
+            this.capabilityNegotiator.interceptTransportForRawCapabilities(beamTransport, this.server, (msg) => this.channelManager.interceptPermissionRequest(msg));
             await this.server.connect(beamTransport);
             // Wire sub-photons: collect all loaded photons except the main one
             const mainName = this.mcp?.name || 'photon';
@@ -2127,14 +1712,17 @@ export class PhotonServer {
                     return;
                 }
                 const url = new URL(req.url, `http://${req.headers.host || 'localhost'}`);
+                const corsOrigin = getCorsOrigin(req);
                 // Handle CORS preflight
                 if (req.method === 'OPTIONS') {
-                    res.writeHead(204, {
-                        'Access-Control-Allow-Origin': '*',
+                    const preflightHeaders = {
                         'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
-                        'Access-Control-Allow-Headers': 'Content-Type, Accept, Mcp-Session-Id',
+                        'Access-Control-Allow-Headers': 'Content-Type, Accept, Mcp-Session-Id, Mcp-Protocol-Version, X-Photon-Request',
                         'Access-Control-Expose-Headers': 'Mcp-Session-Id',
-                    });
+                    };
+                    if (corsOrigin)
+                        preflightHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                    res.writeHead(204, preflightHeaders);
                     res.end();
                     return;
                 }
@@ -2145,7 +1733,7 @@ export class PhotonServer {
                 }
                 // Legacy SSE transport (when not using Streamable HTTP)
                 if (!beamTransport && req.method === 'GET' && url.pathname === ssePath) {
-                    await this.handleSSEConnection(res, messagesPath);
+                    await this.handleSSEConnection(req, res, messagesPath);
                     return;
                 }
                 if (!beamTransport && req.method === 'POST' && url.pathname === messagesPath) {
@@ -2154,7 +1742,10 @@ export class PhotonServer {
                 }
                 // Serve embedded index.html at root when assets are available
                 if (req.method === 'GET' && url.pathname === '/' && this.options.embeddedAssets) {
-                    res.writeHead(200, { 'Content-Type': 'text/html', 'Access-Control-Allow-Origin': '*' });
+                    const htmlHeaders = { 'Content-Type': 'text/html' };
+                    if (corsOrigin)
+                        htmlHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                    res.writeHead(200, htmlHeaders);
                     res.end(this.options.embeddedAssets.indexHtml);
                     return;
                 }
@@ -2192,10 +1783,10 @@ export class PhotonServer {
                     }
                     // API: List all photons
                     if (req.method === 'GET' && url.pathname === '/api/photons') {
-                        res.writeHead(200, {
-                            'Content-Type': 'application/json',
-                            'Access-Control-Allow-Origin': '*',
-                        });
+                        const photonHeaders = { 'Content-Type': 'application/json' };
+                        if (corsOrigin)
+                            photonHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, photonHeaders);
                         try {
                             const photons = await this.listAllPhotons();
                             res.end(JSON.stringify({ photons }));
@@ -2208,10 +1799,10 @@ export class PhotonServer {
                     }
                     // API: List tools (for compatibility, now returns current photon)
                     if (req.method === 'GET' && url.pathname === '/api/tools') {
-                        res.writeHead(200, {
-                            'Content-Type': 'application/json',
-                            'Access-Control-Allow-Origin': '*',
-                        });
+                        const toolHeaders = { 'Content-Type': 'application/json' };
+                        if (corsOrigin)
+                            toolHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, toolHeaders);
                         const tools = this.mcp?.tools.map((tool) => {
                             const linkedUI = this.mcp?.assets?.ui.find((u) => u.linkedTool === tool.name || u.linkedTools?.includes(tool.name));
                             return {
@@ -2231,10 +1822,10 @@ export class PhotonServer {
                         return;
                     }
                     if (req.method === 'GET' && url.pathname === '/api/status') {
-                        res.writeHead(200, {
-                            'Content-Type': 'application/json',
-                            'Access-Control-Allow-Origin': '*',
-                        });
+                        const statusHeaders = { 'Content-Type': 'application/json' };
+                        if (corsOrigin)
+                            statusHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, statusHeaders);
                         res.end(JSON.stringify(this.buildStatusSnapshot()));
                         return;
                     }
@@ -2246,7 +1837,8 @@ export class PhotonServer {
                 // API: Call tool
                 if (req.method === 'POST' && url.pathname === '/api/call') {
                     // Security: restrict CORS to localhost and require local request
-                    res.setHeader('Access-Control-Allow-Origin', `http://localhost:${this.options.port || 3000}`);
+                    if (corsOrigin)
+                        res.setHeader('Access-Control-Allow-Origin', corsOrigin);
                     res.setHeader('Content-Type', 'application/json');
                     if (!isLocalRequest(req)) {
                         res.writeHead(403);
@@ -2278,7 +1870,8 @@ export class PhotonServer {
                 }
                 // API: Call tool with streaming progress (SSE)
                 if (req.method === 'POST' && url.pathname === '/api/call-stream') {
-                    res.setHeader('Access-Control-Allow-Origin', `http://localhost:${this.options.port || 3000}`);
+                    if (corsOrigin)
+                        res.setHeader('Access-Control-Allow-Origin', corsOrigin);
                     res.setHeader('Content-Type', 'text/event-stream');
                     res.setHeader('Cache-Control', 'no-cache');
                     res.setHeader('Connection', 'keep-alive');
@@ -2342,11 +1935,7 @@ export class PhotonServer {
                                         sendNotification('notifications/emit', { event: emit });
                                     }
                                     // Forward channel events to daemon for cross-process pub/sub
-                                    if (this.daemonName && emit.channel) {
-                                        publishToChannel(this.daemonName, emit.channel, emit, this.options.workingDir).catch(() => {
-                                            // Ignore publish errors - daemon may not be running
-                                        });
-                                    }
+                                    this.channelManager.publishIfChannel(emit);
                                 };
                                 sendNotification('notifications/status', {
                                     type: 'info',
@@ -2389,10 +1978,10 @@ export class PhotonServer {
                     if (ui?.resolvedPath) {
                         try {
                             const content = await readText(ui.resolvedPath);
-                            res.writeHead(200, {
-                                'Content-Type': 'text/html',
-                                'Access-Control-Allow-Origin': '*',
-                            });
+                            const uiHeaders = { 'Content-Type': 'text/html' };
+                            if (corsOrigin)
+                                uiHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                            res.writeHead(200, uiHeaders);
                             res.end(content);
                             return;
                         }
@@ -2410,11 +1999,13 @@ export class PhotonServer {
                     if (req.method === 'GET' && url.pathname === '/api/diagnostics') {
                         const { PHOTON_VERSION } = await import('./version.js');
                         const photonName = this.mcp?.name || 'photon';
-                        const tools = this.mcp ? Object.keys(this.mcp._toolSchemas || {}).length : 0;
-                        res.writeHead(200, {
-                            'Content-Type': 'application/json',
-                            'Access-Control-Allow-Origin': '*',
-                        });
+                        const tools = this.mcp
+                            ? Object.keys(this.mcp._toolSchemas || {}).length
+                            : 0;
+                        const diagHeaders = { 'Content-Type': 'application/json' };
+                        if (corsOrigin)
+                            diagHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, diagHeaders);
                         res.end(JSON.stringify({
                             photonVersion: PHOTON_VERSION,
                             workingDir: process.cwd(),
@@ -2443,28 +2034,34 @@ export class PhotonServer {
                             hostVersion: '1.5.0',
                             injectedPhotons: [],
                         });
-                        res.writeHead(200, { 'Content-Type': 'text/html', 'Access-Control-Allow-Origin': '*' });
+                        const bridgeHeaders = { 'Content-Type': 'text/html' };
+                        if (corsOrigin)
+                            bridgeHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, bridgeHeaders);
                         res.end(script);
                         return;
                     }
                     if (req.method === 'GET' && url.pathname === '/index.html') {
-                        res.writeHead(200, { 'Content-Type': 'text/html', 'Access-Control-Allow-Origin': '*' });
+                        const indexHeaders = { 'Content-Type': 'text/html' };
+                        if (corsOrigin)
+                            indexHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, indexHeaders);
                         res.end(assets.indexHtml);
                         return;
                     }
                     if (req.method === 'GET' && url.pathname === '/beam.bundle.js') {
-                        res.writeHead(200, {
-                            'Content-Type': 'text/javascript',
-                            'Access-Control-Allow-Origin': '*',
-                        });
+                        const jsHeaders = { 'Content-Type': 'text/javascript' };
+                        if (corsOrigin)
+                            jsHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, jsHeaders);
                         res.end(assets.bundleJs);
                         return;
                     }
                     if (req.method === 'GET' && url.pathname === '/sw.js') {
-                        res.writeHead(200, {
-                            'Content-Type': 'text/javascript',
-                            'Access-Control-Allow-Origin': '*',
-                        });
+                        const swHeaders = { 'Content-Type': 'text/javascript' };
+                        if (corsOrigin)
+                            swHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, swHeaders);
                         res.end('self.addEventListener("fetch", () => {});');
                         return;
                     }
@@ -2479,14 +2076,20 @@ export class PhotonServer {
 <script>window.PHOTON_APP_NAME="${appName}";window.PHOTON_SSE_URL=window.location.origin;</script>
 <script src="/beam.bundle.js"></script>
 </body></html>`;
-                        res.writeHead(200, { 'Content-Type': 'text/html', 'Access-Control-Allow-Origin': '*' });
+                        const appHeaders = { 'Content-Type': 'text/html' };
+                        if (corsOrigin)
+                            appHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                        res.writeHead(200, appHeaders);
                         res.end(appHtml);
                         return;
                     }
                 }
                 // SPA fallback: serve index.html for unmatched GET requests (compiled binary with Beam UI)
                 if (req.method === 'GET' && this.options.embeddedAssets) {
-                    res.writeHead(200, { 'Content-Type': 'text/html', 'Access-Control-Allow-Origin': '*' });
+                    const fallbackHeaders = { 'Content-Type': 'text/html' };
+                    if (corsOrigin)
+                        fallbackHeaders['Access-Control-Allow-Origin'] = corsOrigin;
+                    res.writeHead(200, fallbackHeaders);
                     res.end(this.options.embeddedAssets.indexHtml);
                     return;
                 }
@@ -2499,17 +2102,7 @@ export class PhotonServer {
         });
         await new Promise((resolve) => {
             this.httpServer.listen(port, () => {
-                this.log('info', `${this.mcp.name} MCP server listening`, {
-                    transport: 'sse',
-                    port,
-                    devMode: this.devMode,
-                });
-                this.log('debug', 'SSE endpoints ready', {
-                    baseUrl: `http://localhost:${port}`,
-                    ssePath,
-                    messagesPath,
-                    playground: this.devMode ? `http://localhost:${port}/playground` : undefined,
-                });
+                process.stdout.write(`⚡ ${this.mcp.name} → http://localhost:${port}${ssePath}\n`);
                 resolve();
             });
         });
@@ -2553,8 +2146,10 @@ export class PhotonServer {
     /**
      * Handle new SSE connection
      */
-    async handleSSEConnection(res, messagesPath) {
-        res.setHeader('Access-Control-Allow-Origin', '*');
+    async handleSSEConnection(req, res, messagesPath) {
+        const origin = getCorsOrigin(req);
+        if (origin)
+            res.setHeader('Access-Control-Allow-Origin', origin);
         // Create a new MCP server instance for this session
         const sessionServer = new Server({
             name: this.mcp?.name || 'photon-mcp',
@@ -2574,7 +2169,7 @@ export class PhotonServer {
         this.setupSessionHandlers(sessionServer);
         // Create SSE transport
         const transport = new SSEServerTransport(messagesPath, res);
-        this.interceptTransportForRawCapabilities(transport, sessionServer);
+        this.capabilityNegotiator.interceptTransportForRawCapabilities(transport, sessionServer, (msg) => this.channelManager.interceptPermissionRequest(msg));
         const sessionId = transport.sessionId;
         // Store session
         this.sseSessions.set(sessionId, { server: sessionServer, transport });
@@ -2621,7 +2216,9 @@ export class PhotonServer {
      * Handle incoming SSE message
      */
     async handleSSEMessage(req, res, url) {
-        res.setHeader('Access-Control-Allow-Origin', '*');
+        const origin = getCorsOrigin(req);
+        if (origin)
+            res.setHeader('Access-Control-Allow-Origin', origin);
         res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
         const sessionId = url.searchParams.get('sessionId');
         if (!sessionId) {
@@ -2680,476 +2277,14 @@ export class PhotonServer {
             return this.handleGetPrompt(request);
         });
         sessionServer.setRequestHandler(ListResourcesRequestSchema, async () => {
-            return this.handleListResources(ctx);
+            return this.resourceServer.handleListResources(this.mcp);
         });
         sessionServer.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {
-            return this.handleListResourceTemplates();
+            return this.resourceServer.handleListResourceTemplates(this.mcp);
         });
         sessionServer.setRequestHandler(ReadResourceRequestSchema, async (request) => {
-            return this.handleReadResource(request);
-        });
-    }
-    /**
-     * Handle asset read (for both stdio and SSE handlers)
-     */
-    /**
-     * Handle SEP-1865 ui:// resource read
-     */
-    async handleUIAssetRead(uri, assetId, photon) {
-        const target = photon || this.mcp;
-        const photonName = target.name;
-        let content;
-        // Try embedded templates first (compiled binary mode)
-        if (this.options.embeddedUITemplates) {
-            const templates = this.options.embeddedUITemplates[photonName];
-            if (templates && templates[assetId]) {
-                content = templates[assetId];
-            }
-        }
-        // Fall back to disk if not embedded
-        if (!content) {
-            if (!target.assets?.ui) {
-                throw new Error(`UI asset not found: ${uri}`);
-            }
-            const ui = target.assets.ui.find((u) => u.id === assetId);
-            if (!ui || !ui.resolvedPath) {
-                throw new Error(`UI asset not found: ${uri}`);
-            }
-            content = await readText(ui.resolvedPath);
-        }
-        // Wrap .photon.html fragments in a full HTML document.
-        // These files contain only <style>, markup, and <script> — no <!doctype> or <html>.
-        // Beam wraps them automatically, but MCP clients (Claude Desktop) need a complete document.
-        const isFragment = !content.trimStart().toLowerCase().startsWith('<!doctype') &&
-            !content.trimStart().toLowerCase().startsWith('<html');
-        if (isFragment) {
-            content = `<!doctype html>\n<html lang="en">\n<head>\n<meta charset="UTF-8">\n<meta name="viewport" content="width=device-width, initial-scale=1.0">\n</head>\n<body>\n${content}\n</body>\n</html>`;
-        }
-        // Inject MCP Apps bridge script for Claude Desktop compatibility
-        const bridgeScript = this.generateMcpAppsBridge();
-        content = content.replace('<head>', `<head>\n${bridgeScript}`);
-        return {
-            contents: [{ uri, mimeType: 'text/html;profile=mcp-app', text: content }],
-        };
-    }
-    /**
-     * Generate minimal MCP Apps bridge script for Claude Desktop compatibility
-     * This handles the ui/initialize handshake and tool result delivery
-     */
-    generateMcpAppsBridge() {
-        const photonName = this.mcp?.name || 'photon-app';
-        const injectedPhotons = this.mcp?.injectedPhotons || [];
-        return `<script>
-(function() {
-  'use strict';
-  var pendingCalls = {};
-  var callIdCounter = 0;
-  var toolResult = null;
-  var resultListeners = [];
-  var emitListeners = [];
-  var themeListeners = [];
-  var eventListeners = {};  // For specific event subscriptions (e.g., 'taskMove')
-  var photonEventListeners = {};  // Namespaced by photon name for injected photons
-  var currentTheme = 'dark';
-  var injectedPhotons = ${JSON.stringify(injectedPhotons)};
-
-  function generateCallId() {
-    return 'call_' + (++callIdCounter) + '_' + Math.random().toString(36).slice(2);
-  }
-
-  function postToHost(msg) {
-    window.parent.postMessage(msg, '*');
-  }
-
-  // Listen for messages from host
-  window.addEventListener('message', function(e) {
-    var m = e.data;
-    if (!m || typeof m !== 'object') return;
-
-    // Handle JSON-RPC messages
-    if (m.jsonrpc === '2.0') {
-      // Response to our request (has id, no method)
-      if (m.id && !m.method && pendingCalls[m.id]) {
-        var pending = pendingCalls[m.id];
-        delete pendingCalls[m.id];
-        if (m.error) {
-          pending.reject(new Error(m.error.message));
-        } else {
-          // Extract clean data from MCP result format
-          var result = m.result;
-          var cleanData = result;
-          if (result && result.structuredContent) {
-            cleanData = result.structuredContent;
-          } else if (result && result.content && Array.isArray(result.content)) {
-            var textItem = result.content.find(function(i) { return i.type === 'text'; });
-            if (textItem && textItem.text) {
-              try { cleanData = JSON.parse(textItem.text); } catch(e) { cleanData = textItem.text; }
-            }
-          }
-          pending.resolve(cleanData);
-        }
-        return;
-      }
-
-      // Tool result notification
-      if (m.method === 'ui/notifications/tool-result') {
-        var result = m.params;
-        // Extract data from MCP result format
-        if (result.structuredContent) {
-          toolResult = result.structuredContent;
-        } else if (result.content && Array.isArray(result.content)) {
-          var textItem = result.content.find(function(i) { return i.type === 'text'; });
-          if (textItem && textItem.text) {
-            try { toolResult = JSON.parse(textItem.text); } catch(e) { toolResult = textItem.text; }
-          }
-        } else {
-          toolResult = result;
-        }
-        // Set __PHOTON_DATA__ for UIs that read it at init
-        window.__PHOTON_DATA__ = toolResult;
-        // Dispatch event for UIs to re-initialize with new data
-        window.dispatchEvent(new CustomEvent('photon:data-ready', { detail: toolResult }));
-        resultListeners.forEach(function(cb) { cb(toolResult); });
-      }
-
-      // Host context changed (theme + embedded photon events)
-      if (m.method === 'ui/notifications/host-context-changed') {
-        // Standard theme handling
-        if (m.params && m.params.theme) {
-          currentTheme = m.params.theme;
-          document.documentElement.classList.remove('light', 'dark', 'light-theme');
-          document.documentElement.classList.add(m.params.theme);
-          document.documentElement.setAttribute('data-theme', m.params.theme);
-          // Apply theme token CSS variables (matching platform-compat applyThemeTokens)
-          if (m.params.styles && m.params.styles.variables) {
-            var root = document.documentElement;
-            var vars = m.params.styles.variables;
-            for (var key in vars) { root.style.setProperty(key, vars[key]); }
-          }
-          // Apply background/text colors to match platform-compat bridge
-          if (m.params.theme === 'light') {
-            document.documentElement.classList.add('light-theme');
-            document.documentElement.style.colorScheme = 'light';
-            document.documentElement.style.backgroundColor = '#ffffff';
-            if (document.body) { document.body.style.backgroundColor = '#ffffff'; document.body.style.color = '#1a1a1a'; }
-          } else {
-            document.documentElement.style.colorScheme = 'dark';
-            document.documentElement.style.backgroundColor = '#0d0d0d';
-            if (document.body) { document.body.style.backgroundColor = '#0d0d0d'; document.body.style.color = '#e6e6e6'; }
-          }
-          themeListeners.forEach(function(cb) { cb(currentTheme); });
-        }
-
-        // Extract embedded photon event data
-        // This enables real-time sync via standard MCP protocol
-        if (m.params && m.params._photon) {
-          var photonData = m.params._photon;
-          // Route to generic emit listeners
-          emitListeners.forEach(function(cb) { cb(photonData); });
-
-          var eventName = photonData.event;
-          var sourcePhoton = photonData.data && photonData.data._source;
-
-          // Route to photon-specific listeners if _source is specified (injected photon events)
-          if (sourcePhoton && photonEventListeners[sourcePhoton] && photonEventListeners[sourcePhoton][eventName]) {
-            photonEventListeners[sourcePhoton][eventName].forEach(function(cb) {
-              cb(photonData.data);
-            });
-          }
-
-          // Also route to global event listeners (main photon events, or fallback)
-          if (eventName && eventListeners[eventName]) {
-            eventListeners[eventName].forEach(function(cb) {
-              cb(photonData.data);
-            });
-          }
-        }
-      }
-    }
-  });
-
-  // Mark that we're in MCP Apps context (not Beam)
-  window.__MCP_APPS_CONTEXT__ = true;
-
-  // Expose photon bridge API
-  window.photon = {
-    get toolOutput() { return toolResult; },
-    onResult: function(cb) {
-      resultListeners.push(cb);
-      if (toolResult) cb(toolResult);
-      return function() {
-        var i = resultListeners.indexOf(cb);
-        if (i >= 0) resultListeners.splice(i, 1);
-      };
-    },
-    callTool: function(name, args, opts) {
-      var callId = generateCallId();
-      return new Promise(function(resolve, reject) {
-        pendingCalls[callId] = { resolve: resolve, reject: reject };
-        var a = args || {};
-        if (opts && opts.instance !== undefined) { a = Object.assign({}, a, { _targetInstance: opts.instance }); }
-        postToHost({
-          jsonrpc: '2.0',
-          id: callId,
-          method: 'tools/call',
-          params: { name: name, arguments: a }
+            return this.resourceServer.handleReadResource(request, this.mcp);
         });
-        setTimeout(function() {
-          if (pendingCalls[callId]) {
-            delete pendingCalls[callId];
-            reject(new Error('Tool call timeout'));
-          }
-        }, 30000);
-      });
-    },
-    invoke: function(name, args, opts) { return window.photon.callTool(name, args, opts); },
-    onEmit: function(cb) {
-      emitListeners.push(cb);
-      return function() {
-        var i = emitListeners.indexOf(cb);
-        if (i >= 0) emitListeners.splice(i, 1);
-      };
-    },
-    onThemeChange: function(cb) {
-      themeListeners.push(cb);
-      // Call immediately with current theme
-      cb(currentTheme);
-      return function() {
-        var i = themeListeners.indexOf(cb);
-        if (i >= 0) themeListeners.splice(i, 1);
-      };
-    },
-    get theme() { return currentTheme; },
-
-    // Generic event subscription for real-time sync
-    // Usage: photon.on('taskMove', function(data) { ... })
-    on: function(eventName, cb) {
-      if (!eventListeners[eventName]) eventListeners[eventName] = [];
-      eventListeners[eventName].push(cb);
-      return function() {
-        var i = eventListeners[eventName].indexOf(cb);
-        if (i >= 0) eventListeners[eventName].splice(i, 1);
-      };
-    },
-
-    // Photon-specific event subscription (for injected photon events)
-    // Usage: photon.onPhoton('notifications', 'alertCreated', function(data) { ... })
-    onPhoton: function(photonName, eventName, cb) {
-      if (!photonEventListeners[photonName]) photonEventListeners[photonName] = {};
-      if (!photonEventListeners[photonName][eventName]) photonEventListeners[photonName][eventName] = [];
-      photonEventListeners[photonName][eventName].push(cb);
-      return function() {
-        var i = photonEventListeners[photonName][eventName].indexOf(cb);
-        if (i >= 0) photonEventListeners[photonName][eventName].splice(i, 1);
-      };
-    }
-  };
-
-  // Create direct window object: window.{photonName}
-  // This provides a clean class-like API that mirrors server methods:
-  //   Server: this.emit('taskMove', data)
-  //   Client: kanban.onTaskMove(cb) - subscribe to events
-  //   Client: kanban.taskMove(args) - call server method
-  var photonName = '${photonName}';
-  window[photonName] = new Proxy({}, {
-    get: function(target, prop) {
-      if (typeof prop !== 'string') return undefined;
-
-      // onEventName -> subscribe to 'eventName' event
-      // e.g., onTaskMove -> subscribe to 'taskMove'
-      if (prop.startsWith('on') && prop.length > 2) {
-        var eventName = prop.charAt(2).toLowerCase() + prop.slice(3);
-        return function(cb) {
-          return window.photon.on(eventName, cb);
-        };
-      }
-
-      // methodName -> call server tool
-      // e.g., taskMove(args) -> photon.callTool('taskMove', args)
-      return function(args) {
-        return window.photon.callTool(prop, args);
-      };
-    }
-  });
-
-  // Create proxies for injected photons (for event subscriptions)
-  // e.g., notifications.onAlertCreated(cb) subscribes to 'alertCreated' from 'notifications' photon
-  injectedPhotons.forEach(function(injectedName) {
-    window[injectedName] = new Proxy({}, {
-      get: function(target, prop) {
-        if (typeof prop !== 'string') return undefined;
-
-        // onEventName -> subscribe to photon-specific event
-        if (prop.startsWith('on') && prop.length > 2) {
-          var eventName = prop.charAt(2).toLowerCase() + prop.slice(3);
-          return function(cb) {
-            return window.photon.onPhoton(injectedName, eventName, cb);
-          };
-        }
-
-        // Method calls on injected photons are not supported from client
-        // (injected photon methods are only available server-side)
-        return undefined;
-      }
-    });
-  });
-
-  // Size notification helper
-  function sendSizeChanged() {
-    var body = document.body;
-    var root = document.documentElement;
-
-    // Calculate actual content dimensions
-    var width = Math.max(
-      body.scrollWidth,
-      body.offsetWidth,
-      root.clientWidth,
-      root.scrollWidth,
-      root.offsetWidth
-    );
-    var height = Math.max(
-      body.scrollHeight,
-      body.offsetHeight,
-      root.clientHeight,
-      root.scrollHeight,
-      root.offsetHeight
-    );
-
-    // Check for scrollable containers with overflow:hidden that hide true content size
-    var containers = document.querySelectorAll('.board, [style*="overflow"]');
-    containers.forEach(function(el) {
-      if (el.scrollWidth > width) width = el.scrollWidth;
-      if (el.scrollHeight > height) height = el.scrollHeight;
-    });
-
-    // For kanban-style boards, calculate from column count
-    var columns = document.querySelectorAll('.column');
-    if (columns.length > 0) {
-      var columnWidth = 220; // min-width + gap
-      var boardPadding = 48;
-      var neededWidth = (columns.length * columnWidth) + boardPadding;
-      if (neededWidth > width) width = neededWidth;
-    }
-
-    // Reasonable minimums, maximums, and padding
-    width = Math.max(width, 600) + 32;
-    // Force minimum height for kanban-style boards
-    // header(120) + column headers(50) + 3-4 cards(450) = 620
-    if (columns.length > 0) {
-      height = Math.max(height, 620);
-    } else {
-      height = Math.max(height, 400);
-    }
-
-    postToHost({
-      jsonrpc: '2.0',
-      method: 'ui/notifications/size-changed',
-      params: { width: width, height: height }
-    });
-  }
-
-  // MCP Apps handshake: send ui/initialize and wait for response
-  var initId = generateCallId();
-  pendingCalls[initId] = {
-    resolve: function(result) {
-      // Apply theme from host context (matching platform-compat bridge)
-      if (result.hostContext && result.hostContext.theme) {
-        currentTheme = result.hostContext.theme;
-        document.documentElement.classList.remove('light', 'dark', 'light-theme');
-        document.documentElement.classList.add(result.hostContext.theme);
-        document.documentElement.setAttribute('data-theme', result.hostContext.theme);
-        // Apply theme token CSS variables from host context
-        if (result.hostContext.styles && result.hostContext.styles.variables) {
-          var root = document.documentElement;
-          var vars = result.hostContext.styles.variables;
-          for (var key in vars) { root.style.setProperty(key, vars[key]); }
-        }
-        if (result.hostContext.theme === 'light') {
-          document.documentElement.classList.add('light-theme');
-          document.documentElement.style.colorScheme = 'light';
-        } else {
-          document.documentElement.style.colorScheme = 'dark';
-        }
-      }
-      // Complete handshake
-      postToHost({ jsonrpc: '2.0', method: 'ui/notifications/initialized', params: {} });
-
-      // Set up size notifications after handshake
-      setTimeout(sendSizeChanged, 100);
-      var resizeObserver = new ResizeObserver(function() {
-        sendSizeChanged();
-      });
-      resizeObserver.observe(document.documentElement);
-      resizeObserver.observe(document.body);
-    },
-    reject: function(err) { console.error('MCP Apps init failed:', err); }
-  };
-
-  postToHost({
-    jsonrpc: '2.0',
-    id: initId,
-    method: 'ui/initialize',
-    params: {
-      appInfo: { name: '${photonName}', version: '1.0.0' },
-      appCapabilities: {},
-      protocolVersion: '2026-01-26'
-    }
-  });
-})();
-</script>`;
-    }
-    /**
-     * Handle photon:// asset read (Beam format)
-     */
-    async handleAssetRead(uri, assetMatch) {
-        const [, _photonName, assetType, assetId] = assetMatch;
-        let resolvedPath;
-        let mimeType = 'text/plain';
-        if (assetType === 'ui') {
-            const ui = this.mcp.assets.ui.find((u) => u.id === assetId);
-            if (ui) {
-                resolvedPath = ui.resolvedPath;
-                mimeType = ui.mimeType || 'text/html;profile=mcp-app';
-            }
-        }
-        else if (assetType === 'prompts') {
-            const prompt = this.mcp.assets.prompts.find((p) => p.id === assetId);
-            if (prompt) {
-                resolvedPath = prompt.resolvedPath;
-                mimeType = 'text/markdown';
-            }
-        }
-        else if (assetType === 'resources') {
-            const resource = this.mcp.assets.resources.find((r) => r.id === assetId);
-            if (resource) {
-                resolvedPath = resource.resolvedPath;
-                mimeType = resource.mimeType || 'application/octet-stream';
-            }
-        }
-        if (resolvedPath) {
-            let content = await readText(resolvedPath);
-            // Inject MCP Apps bridge for UI assets
-            if (assetType === 'ui') {
-                const bridgeScript = this.generateMcpAppsBridge();
-                content = content.replace('<head>', `<head>\n${bridgeScript}`);
-            }
-            return {
-                contents: [{ uri, mimeType, text: content }],
-            };
-        }
-        throw new Error(`Asset not found: ${uri}`);
-    }
-    /**
-     * Handle static resource read (for both stdio and SSE handlers)
-     */
-    async handleStaticRead(uri) {
-        const static_ = this.mcp.statics.find((s) => s.uri === uri || this.matchUriPattern(s.uri, uri));
-        if (!static_) {
-            throw new Error(`Resource not found: ${uri}`);
-        }
-        const params = this.parseUriParams(static_.uri, uri);
-        const result = await this.loader.executeTool(this.mcp, static_.name, params);
-        return this.formatStaticResult(result, static_.mimeType);
     }
     /**
      * Stop the server
@@ -3165,15 +2300,7 @@ export class PhotonServer {
                 await this.mcpClientFactory.disconnect();
             }
             // Unsubscribe daemon channels
-            for (const unsubscribe of this.channelUnsubscribers) {
-                try {
-                    unsubscribe();
-                }
-                catch {
-                    /* ignore */
-                }
-            }
-            this.channelUnsubscribers = [];
+            this.channelManager.cleanup();
             // Close SSE sessions — snapshot to avoid live-iterator + await issues
             for (const session of Array.from(this.sseSessions.values())) {
                 await session.server.close();
@@ -3226,12 +2353,15 @@ export class PhotonServer {
         };
     }
     handleStatusStream(_req, res) {
-        res.writeHead(200, {
+        const ssHeaders = {
             'Content-Type': 'text/event-stream',
             'Cache-Control': 'no-cache',
             Connection: 'keep-alive',
-            'Access-Control-Allow-Origin': '*',
-        });
+        };
+        const origin = getCorsOrigin(_req);
+        if (origin)
+            ssHeaders['Access-Control-Allow-Origin'] = origin;
+        res.writeHead(200, ssHeaders);
         res.write(`data: ${JSON.stringify(this.buildStatusSnapshot())}\n\n`);
         this.statusClients.add(res);
         const cleanup = () => {