Committing WIP

+# Moqui MCP v2 Server Agent Guide
+
+This guide explains how to interact with the Moqui MCP v2 server component for AI-Moqui integration using the Model Context Protocol (MCP).
+
+## Architecture Overview
+
+```
+moqui-mcp-2/
+├── AGENTS.md                    # This file - MCP server agent guide
+├── component.xml               # Component configuration
+├── entity/                     # MCP entity definitions
+│   └── McpCoreEntities.xml     # Core MCP entities
+├── service/                    # MCP service implementations
+│   ├── McpDiscoveryServices.xml # Tool discovery services
+│   ├── McpExecutionServices.xml # Tool execution services
+│   ├── McpSecurityServices.xml  # Session/security services
+│   └── mcp.rest.xml            # REST API endpoints
+├── screen/                     # Web interface screens
+│   └── webapp.xml              # MCP web interface
+└── template/                   # UI templates
+    └── McpInfo.html.ftl        # MCP info page
+```
+
+## MCP Server Capabilities
+
+### Core Features
+- **Session Management**: Secure session creation, validation, and termination
+- **Tool Discovery**: Dynamic discovery of available Moqui services and entities
+- **Tool Execution**: Secure execution of services with proper authorization
+- **Entity Operations**: Direct entity query capabilities with permission checks
+- **Health Monitoring**: Server health and status monitoring
+
+### Security Model
+- **Session-based Authentication**: Uses Moqui's built-in user authentication
+- **Context Tokens**: Secure token-based session validation
+- **Permission Validation**: All operations checked against Moqui security framework
+- **Audit Logging**: Complete audit trail of all MCP operations
+
+## REST API Endpoints
+
+### Session Management
+```
+POST /mcp-2/session
+- Create new MCP session
+- Parameters: username, password, clientInfo, ipAddress, userAgent
+- Returns: sessionId, contextToken, expiration
+
+POST /mcp-2/session/{visitId}/validate  
+- Validate existing session
+- Parameters: visitId (from path), contextToken
+- Returns: session validity, user info
+
+POST /mcp-2/session/{visitId}/terminate
+- Terminate active session
+- Parameters: visitId (from path), contextToken
+- Returns: termination confirmation
+```
+
+### Tool Discovery
+```
+POST /mcp-2/tools/discover
+- Discover available MCP tools
+- Parameters: userAccountId, visitId, servicePattern, packageName, verb, noun
+- Returns: List of available tools with metadata
+
+POST /mcp-2/tools/validate
+- Validate access to specific tools
+- Parameters: userAccountId, serviceNames, visitId
+- Returns: Access validation results
+```
+
+### Tool Execution
+```
+POST /mcp-2/tools/execute
+- Execute service as MCP tool
+- Parameters: sessionId, contextToken, serviceName, parameters, toolCallId
+- Returns: Service execution results
+
+POST /mcp-2/tools/entity/query
+- Execute entity query as MCP tool
+- Parameters: sessionId, contextToken, serviceName, parameters, toolCallId
+- Returns: Entity query results
+```
+
+### Health Check
+```
+GET /mcp-2/health
+- Server health status
+- Returns: Server status, version, available endpoints
+```
+
+## Agent Integration Patterns
+
+### 1. Session Initialization
+```bash
+# Create session
+curl -X POST http://localhost:8080/mcp-2/session \
+  -H "Content-Type: application/json" \
+  -d '{
+    "username": "admin",
+    "password": "admin",
+    "clientInfo": "AI-Agent-v1.0"
+  }'
+
+# Response: { "sessionId": "12345", "contextToken": "abc123", "expires": "2025-01-01T00:00:00Z" }
+```
+
+### 2. Tool Discovery Workflow
+```bash
+# Discover available tools
+curl -X POST http://localhost:8080/mcp-2/tools/discover \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer abc123" \
+  -d '{
+    "userAccountId": "ADMIN",
+    "visitId": "12345",
+    "servicePattern": "org.moqui.*"
+  }'
+
+# Response: { "tools": [ { "name": "create#Order", "description": "...", "parameters": [...] } ] }
+```
+
+### 3. Tool Execution Pattern
+```bash
+# Execute a service
+curl -X POST http://localhost:8080/mcp-2/tools/execute \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer abc123" \
+  -d '{
+    "sessionId": "12345",
+    "contextToken": "abc123",
+    "serviceName": "org.moqui.example.Services.create#Example",
+    "parameters": { "field1": "value1", "field2": "value2" },
+    "toolCallId": "call_123"
+  }'
+
+# Response: { "result": { "exampleId": "EX123" }, "success": true }
+```
+
+## Security Considerations
+
+### Authentication Requirements
+- All MCP operations require valid session authentication
+- Context tokens must be included in all requests after session creation
+- Sessions expire based on configured timeout settings
+
+### Permission Validation
+- Tool access validated against Moqui user permissions
+- Entity operations respect Moqui entity access controls
+- Service execution requires appropriate service permissions
+
+### Audit and Logging
+- All MCP operations logged to Moqui audit system
+- Session creation, tool discovery, and execution tracked
+- Failed authentication attempts monitored
+
+## Error Handling
+
+### Common Error Responses
+```json
+{
+  "error": "INVALID_SESSION",
+  "message": "Session expired or invalid",
+  "code": 401
+}
+
+{
+  "error": "PERMISSION_DENIED", 
+  "message": "User lacks permission for tool",
+  "code": 403
+}
+
+{
+  "error": "TOOL_NOT_FOUND",
+  "message": "Requested tool not available",
+  "code": 404
+}
+```
+
+### Error Recovery Strategies
+- **Session Expiration**: Re-authenticate and create new session
+- **Permission Issues**: Request additional permissions or use alternative tools
+- **Tool Not Found**: Re-discover available tools and update tool registry
+
+## Performance Optimization
+
+### Caching Strategies
+- Tool discovery results cached for session duration
+- Permission validation results cached per user
+- Entity query results cached based on Moqui cache settings
+
+### Connection Management
+- Use persistent HTTP connections where possible
+- Implement session pooling for high-frequency operations
+- Monitor session lifecycle and cleanup expired sessions
+
+## Integration Examples
+
+### Python Client Example
+```python
+import requests
+import json
+
+class MoquiMCPClient:
+    def __init__(self, base_url, username, password):
+        self.base_url = base_url
+        self.session_id = None
+        self.context_token = None
+        self.authenticate(username, password)
+    
+    def authenticate(self, username, password):
+        response = requests.post(f"{self.base_url}/mcp-2/session", json={
+            "username": username,
+            "password": password
+        })
+        data = response.json()
+        self.session_id = data["sessionId"]
+        self.context_token = data["contextToken"]
+    
+    def discover_tools(self, pattern="*"):
+        response = requests.post(f"{self.base_url}/mcp-2/tools/discover", 
+            headers={"Authorization": f"Bearer {self.context_token}"},
+            json={"servicePattern": pattern}
+        )
+        return response.json()
+    
+    def execute_tool(self, service_name, parameters):
+        response = requests.post(f"{self.base_url}/mcp-2/tools/execute",
+            headers={"Authorization": f"Bearer {self.context_token}"},
+            json={
+                "sessionId": self.session_id,
+                "contextToken": self.context_token,
+                "serviceName": service_name,
+                "parameters": parameters
+            }
+        )
+        return response.json()
+```
+
+### JavaScript Client Example
+```javascript
+class MoquiMCPClient {
+    constructor(baseUrl, username, password) {
+        this.baseUrl = baseUrl;
+        this.authenticate(username, password);
+    }
+    
+    async authenticate(username, password) {
+        const response = await fetch(`${this.baseUrl}/mcp-2/session`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ username, password })
+        });
+        const data = await response.json();
+        this.sessionId = data.sessionId;
+        this.contextToken = data.contextToken;
+    }
+    
+    async discoverTools(pattern = '*') {
+        const response = await fetch(`${this.baseUrl}/mcp-2/tools/discover`, {
+            method: 'POST',
+            headers: { 
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${this.contextToken}`
+            },
+            body: JSON.stringify({ servicePattern: pattern })
+        });
+        return response.json();
+    }
+    
+    async executeTool(serviceName, parameters) {
+        const response = await fetch(`${this.baseUrl}/mcp-2/tools/execute`, {
+            method: 'POST',
+            headers: { 
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${this.contextToken}`
+            },
+            body: JSON.stringify({
+                sessionId: this.sessionId,
+                contextToken: this.contextToken,
+                serviceName,
+                parameters
+            })
+        });
+        return response.json();
+    }
+}
+```
+
+## Monitoring and Debugging
+
+### Health Monitoring
+- Monitor `/mcp-2/health` endpoint for server status
+- Track session creation and termination rates
+- Monitor tool execution success/failure rates
+
+### Debug Information
+- Check Moqui logs for MCP-related errors
+- Use Moqui's built-in monitoring tools
+- Monitor REST API access patterns
+
+### Performance Metrics
+- Session creation time
+- Tool discovery response time  
+- Tool execution duration
+- Concurrent session limits
+
+## Configuration
+
+### Component Configuration
+- Session timeout settings in `component.xml`
+- Security permission mappings
+- Cache configuration for performance
+
+### Runtime Configuration
+- Database connection settings
+- REST API endpoint configuration
+- Security context configuration
+
+---
+
+**This guide focuses on MCP server interaction patterns and agent integration.**
+For Moqui framework integration details, see the main project AGENTS.md files.
+For component-specific implementation details, refer to individual service files.
\ No newline at end of file

+# Moqui MCP Server v0.2.0
+
+## Overview
+Simplified MCP server that uses Moqui's native service engine directly, eliminating need for manual tool registry management.
+
+## Evolution from v0.1.0 (moqui-mcp) to v0.2.0 (moqui-mcp-2)
+
+### Architectural Problems Identified in v0.1.0
+
+The original moqui-mcp implementation had significant architectural duplications with Moqui's native systems:
+
+1. **McpToolRegistry vs Service Engine**
+   - Manual tool registry duplicated Moqui's service discovery
+   - Required manual maintenance of tool definitions
+   - Added unnecessary database queries and complexity
+
+2. **McpAuditLog vs ArtifactHit**
+   - Custom audit logging duplicated Moqui's proven ArtifactHit system
+   - Missed built-in performance monitoring and aggregation
+   - Separate audit trail instead of unified system-wide analytics
+
+3. **McpSession vs Visit Entity**
+   - Custom session management duplicated Moqui's Visit entity
+   - Lost geo-location, referrer tracking, and other built-in features
+   - Separate session lifecycle instead of leveraging existing patterns
+
+4. **McpToolCall vs ArtifactHit**
+   - Custom tool call tracking duplicated ArtifactHit functionality
+   - Manual performance tracking instead of automatic aggregation
+   - Separate error handling and logging
+
+### v0.2.0 Architectural Solutions
+
+**Complete Elimination of Duplications**:
+- ❌ McpToolRegistry → ✅ Service Engine (`ec.service.getServiceNames()`)
+- ❌ McpAuditLog → ✅ ArtifactHit (native audit & performance)
+- ❌ McpSession → ✅ Visit Entity (extended with MCP fields)
+- ❌ McpToolCall → ✅ ArtifactHit (with `artifactType="MCP"`)
+
+**Key Architectural Changes**:
+
+1. **Native Service Discovery**
+   ```groovy
+   // Before: Query McpToolRegistry
+   def tools = ec.entity.find("McpToolRegistry").list()
+   
+   // After: Direct service engine access
+   def allServiceNames = ec.service.getServiceNames()
+   def hasPermission = ec.service.hasPermission(serviceName)
+   ```
+
+2. **Unified Session Management**
+   ```xml
+   <!-- Before: Custom McpSession entity -->
+   <entity entity-name="McpSession" package="org.moqui.mcp">
+   
+   <!-- After: Extend native Visit entity -->
+   <extend-entity entity-name="Visit" package="moqui.server">
+       <field name="mcpContextToken" type="text-medium"/>
+       <field name="mcpStatusId" type="id"/>
+       <field name="mcpExpiresDate" type="date-time"/>
+   </extend-entity>
+   ```
+
+3. **System-Wide Analytics**
+   ```sql
+   -- Before: Separate MCP tracking
+   SELECT * FROM McpToolCall ORDER BY startTime DESC;
+   SELECT * FROM McpAuditLog WHERE severity = 'McpSeverityWarning';
+   
+   -- After: Unified system tracking
+   SELECT * FROM moqui.server.ArtifactHit 
+   WHERE artifactType = 'MCP' ORDER BY startDateTime DESC;
+   SELECT * FROM moqui.server.ArtifactHitReport 
+   WHERE artifactType = 'MCP';
+   ```
+
+### Benefits Achieved
+
+**Zero Maintenance**:
+- No manual tool registry updates
+- Automatic reflection of actual Moqui services
+- No custom audit infrastructure to maintain
+
+**Maximum Performance**:
+- Direct service engine access (no extra lookups)
+- Native caching and optimization
+- Built-in performance monitoring
+
+**Unified Analytics**:
+- MCP operations visible in system-wide reports
+- Automatic aggregation via ArtifactHitBin
+- Standard reporting tools and dashboards
+
+**Architectural Purity**:
+- Follows Moqui's established patterns
+- Leverages proven native systems
+- REST service pattern (MCP as service invocation layer)
+
+### Technical Implementation
+
+**MCP Operation Flow**:
+1. Session creation → `Visit` record with MCP extensions
+2. Tool discovery → `ec.service.getServiceNames()` + permission check
+3. Tool execution → Direct service call + `ArtifactHit` creation
+4. Analytics → Native `ArtifactHitReport` aggregation
+
+**Data Model**:
+- Sessions: `moqui.server.Visit` (extended)
+- Operations: `moqui.server.ArtifactHit` (filtered)
+- Performance: `moqui.server.ArtifactHitBin` (automatic)
+- Security: `moqui.security.UserGroupPermission` (native)
+
+This evolution represents a complete architectural alignment with Moqui's core design principles while maintaining full MCP functionality.
+
+## Quick Start
+
+### 1. Add Component to Moqui
+Add to your `MoquiConf.xml`:
+```xml
+<component name="moqui-mcp-2" location="moqui-mcp-2/"/>
+```
+
+### 2. Start Moqui
+```bash
+./gradlew run
+```
+
+### 3. Test MCP Server
+```bash
+# Health check
+curl http://localhost:8080/mcp-2/health
+
+# Create session
+curl -X POST http://localhost:8080/mcp-2/session \
+  -H "Content-Type: application/json" \
+  -d '{"username": "admin", "password": "admin"}'
+```
+
+## Integration with Opencode
+
+### MCP Skill Configuration
+Add to your Opencode configuration:
+
+```json
+{
+  "skills": [
+    {
+      "name": "moqui-mcp",
+      "type": "mcp",
+      "endpoint": "http://localhost:8080/mcp-2",
+      "auth": {
+        "type": "session",
+        "username": "admin",
+        "password": "admin"
+      },
+      "description": "Query business data from Moqui ERP system"
+    }
+  ]
+}
+```
+
+### Example Business Questions
+Once configured, you can ask:
+
+- "Show me all active customers"
+- "What are recent orders for ACME Corp?"
+- "List all products in inventory"
+- "Find unpaid invoices"
+- "Show user accounts with admin permissions"
+
+## API Endpoints
+
+### Session Management
+- `POST /session` - Create session
+- `POST /session/{visitId}/validate` - Validate session  
+- `POST /session/{visitId}/terminate` - Terminate session
+
+### Tool Operations
+- `POST /tools/discover` - Discover available tools
+- `POST /tools/validate` - Validate tool access
+- `POST /tools/execute` - Execute service tool
+- `POST /tools/entity/query` - Execute entity query
+
+### System
+- `GET /health` - Server health check
+
+## Security Model
+
+### Permission-Based Access
+Tools are discovered based on user's `UserGroupPermission` settings:
+- Services: `ec.service.hasPermission(serviceName)`
+- Entities: `ec.user.hasPermission("entity:EntityName", "VIEW")`
+
+### Audit Trail
+All operations are tracked via Moqui's native `ArtifactHit` system:
+- Automatic performance monitoring
+- Built-in security event tracking
+- Configurable persistence (database/ElasticSearch)
+- Standard reporting via `ArtifactHitReport`
+
+## Monitoring
+
+### Check Logs
+```bash
+# MCP operations
+tail -f moqui.log | grep "MCP"
+
+# Session activity
+tail -f moqui.log | grep "Visit"
+```
+
+### Database Queries
+```sql
+-- MCP operations via ArtifactHit
+SELECT * FROM moqui.server.ArtifactHit 
+WHERE artifactType = 'MCP' 
+ORDER BY startDateTime DESC LIMIT 10;
+
+-- MCP sessions (using Visit entity)
+SELECT * FROM moqui.server.Visit 
+WHERE mcpStatusId = 'McsActive' AND webappName = 'mcp-2';
+
+-- MCP service operations
+SELECT * FROM moqui.server.ArtifactHit 
+WHERE artifactType = 'MCP' AND artifactSubType = 'Service'
+ORDER BY startDateTime DESC LIMIT 10;
+
+-- MCP entity operations  
+SELECT * FROM moqui.server.ArtifactHit 
+WHERE artifactType = 'MCP' AND artifactSubType = 'Entity'
+ORDER BY startDateTime DESC LIMIT 10;
+
+-- Performance analytics
+SELECT * FROM moqui.server.ArtifactHitReport 
+WHERE artifactType = 'MCP';
+```
+
+## Next Steps
+
+1. **Test Basic Functionality**: Verify session creation and tool discovery
+2. **Configure Opencode Skill**: Add MCP skill to your Opencode instance
+3. **Test Business Queries**: Try natural language business questions
+4. **Monitor Performance**: Check logs and audit tables
+5. **Extend as Needed**: Add custom services/entities for specific business logic
+
+## Architecture Benefits
+
+- **Zero Maintenance**: No manual tool registry updates
+- **Always Current**: Reflects actual Moqui services in real-time
+- **Secure**: Uses Moqui's proven permission system
+- **Performant**: Direct service engine access, no extra lookups
+- **Unified Analytics**: All MCP operations tracked via native ArtifactHit
+- **Built-in Reporting**: Uses ArtifactHitReport for standard analytics
+- **Native Session Management**: Uses Moqui's Visit entity for session tracking
+- **REST Service Pattern**: MCP is fundamentally a REST service invocation layer
+- **Zero Custom Tracking**: Eliminates McpToolCall duplication with ArtifactHit
+
+This MVP provides core functionality needed to integrate Moqui with Opencode as an MCP skill for business intelligence queries.
\ No newline at end of file

+// Moqui MCP v2 Component Build File
+// Minimal dependencies - depends only on moqui framework
+
+// No additional repositories or dependencies needed
+// All functionality uses native Moqui framework capabilities
\ No newline at end of file

+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This software is in the public domain under CC0 1.0 Universal plus a 
+     Grant of Patent License.
+
+     To the extent possible under law, the author(s) have dedicated all
+     copyright and related and neighboring rights to this software to the
+     public domain worldwide. This software is distributed without any warranty.
+
+     You should have received a copy of the CC0 Public Domain Dedication
+     along with this software (see the LICENSE.md file). If not, see
+     <https://creativecommons.org/publicdomain/zero/1.0/>. -->
+
+<component xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/component-definition-3.xsd">
+
+    <!-- No dependencies - uses only core framework -->
+
+    <entity-factory load-path="entity/" />
+    <service-factory load-path="service/" />
+    <screen-factory load-path="screen/" />
+    
+    <!-- Load seed data -->
+    <entity-factory load-data="data/McpSecuritySeedData.xml" />
+
+    
+    <webapp name="mcp-2" 
+            title="MCP Server v2" 
+            server="default" 
+            location="webapp"
+            https-enabled="false"
+            require-session-token="false">
+        <root-screen host=".*" screen-path="mcp-2"/>
+    </webapp>
+
+
+
+</component>
\ No newline at end of file

+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This software is in the public domain under CC0 1.0 Universal plus a 
+     Grant of Patent License.
+
+     To the extent possible under law, the author(s) have dedicated all
+     copyright and related and neighboring rights to this software to the
+     public domain worldwide. This software is distributed without any warranty.
+
+     You should have received a copy of the CC0 Public Domain Dedication
+     along with this software (see the LICENSE.md file). If not, see
+     <https://creativecommons.org/publicdomain/zero/1.0/>. -->
+
+<entity-facade-xml xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/entity-facade-3.xsd">
+
+    <!-- MCP User Group -->
+    <moqui.security.UserGroup userGroupId="McpUser" description="MCP Server Users"/>
+    
+    <!-- MCP Artifact Groups -->
+    <moqui.security.ArtifactGroup artifactGroupId="McpRestPaths" description="MCP REST Paths"/>
+    <moqui.security.ArtifactGroup artifactGroupId="McpServices" description="MCP Services"/>
+    
+    <!-- MCP Artifact Group Members -->
+    <moqui.security.ArtifactGroupMember artifactGroupId="McpRestPaths" artifactName="/rest/s1/mcp-2" artifactTypeEnumId="AT_REST_PATH"/>
+    <moqui.security.ArtifactGroupMember artifactGroupId="McpRestPaths" artifactName="/rest/s1/mcp-2/*" artifactTypeEnumId="AT_REST_PATH"/>
+    <moqui.security.ArtifactGroupMember artifactGroupId="McpServices" artifactName="org.moqui.mcp.*" artifactTypeEnumId="AT_SERVICE"/>
+    
+    <!-- MCP Artifact Authz -->
+    <moqui.security.ArtifactAuthz userGroupId="McpUser" artifactGroupId="McpRestPaths" authzTypeEnumId="AUTHZT_ALLOW" authzActionEnumId="AUTHZA_ALL"/>
+    <moqui.security.ArtifactAuthz userGroupId="McpUser" artifactGroupId="McpServices" authzTypeEnumId="AUTHZT_ALLOW" authzActionEnumId="AUTHZA_ALL"/>
+    
+    <!-- Add john.doe to MCP user group -->
+    <moqui.security.UserGroupMember userGroupId="McpUser" userId="JOHN_DOE" fromDate="2025-01-01 00:00:00.000"/>
+    
+    <!-- Add MCP user to MCP user group -->
+    <moqui.security.UserGroupMember userGroupId="McpUser" userId="MCP_USER" fromDate="2025-01-01 00:00:00.000"/>
+    
+    <!-- Create minimal MCP user for testing -->
+    <moqui.security.UserAccount userId="MCP_USER" username="mcp-user" disabled="N" requirePasswordChange="N" 
+            currentPassword="16ac58bbfa332c1c55bd98b53e60720bfa90d394" passwordHashType="SHA" />
+
+</entity-facade-xml>
\ No newline at end of file

+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This software is in the public domain under CC0 1.0 Universal plus a 
+     Grant of Patent License.
+
+     To the extent possible under law, the author(s) have dedicated all
+     copyright and related and neighboring rights to this software to the
+     public domain worldwide. This software is distributed without any warranty.
+
+     You should have received a copy of the CC0 Public Domain Dedication
+     along with this software (see the LICENSE.md file). If not, see
+     <https://creativecommons.org/publicdomain/zero/1.0/>. -->
+
+<entities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/entity-definition-3.xsd">
+
+    <!-- Extend Visit entity for MCP-specific session tracking -->
+    <extend-entity entity-name="Visit" package="moqui.server">
+        <field name="mcpContextToken" type="text-medium"/>
+        <field name="mcpStatusId" type="id"/>
+        <field name="mcpExpiresDate" type="date-time"/>
+        <field name="mcpClientInfo" type="text-long"/>
+        <field name="mcpSessionData" type="text-very-long"/>
+        
+        <relationship type="one" related-entity-name="moqui.basic.StatusItem" short-alias="mcpStatus">
+            <key-map field-name="mcpStatusId"/>
+        </relationship>
+        
+        <index name="VISIT_MCP_TOKEN" unique="true">
+            <index-field name="mcpContextToken"/>
+        </index>
+        <index name="VISIT_MCP_USER_STATUS">
+            <index-field name="userId"/>
+            <index-field name="mcpStatusId"/>
+        </index>
+        <index name="VISIT_MCP_EXPIRE">
+            <index-field name="mcpExpiresDate"/>
+        </index>
+    </extend-entity>
+
+
+
+
+
+</entities>
\ No newline at end of file

+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This software is in the public domain under CC0 1.0 Universal plus a 
+     Grant of Patent License.
+
+     To the extent possible under law, the author(s) have dedicated all
+     copyright and related and neighboring rights to this software to the
+     public domain worldwide. This software is distributed without any warranty.
+
+     You should have received a copy of the CC0 Public Domain Dedication
+     along with this software (see the LICENSE.md file). If not, see
+     <https://creativecommons.org/publicdomain/zero/1.0/>. -->
+
+<screen xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/screen-definition-3.xsd">
+
+    <parameter name="sessionId"/>
+    <parameter name="contextToken"/>
+
+    <widgets>
+        <render-mode>
+            <text type="html" location="component://moqui-mcp-2/template/McpInfo.html.ftl"/>
+        </render-mode>
+    </widgets>
+</screen>
\ No newline at end of file

+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This software is in the public domain under CC0 1.0 Universal plus a 
+     Grant of Patent License.
+
+     To the extent possible under law, the author(s) have dedicated all
+     copyright and related and neighboring rights to this software to the
+     public domain worldwide. This software is distributed without any warranty.
+
+     You should have received a copy of the CC0 Public Domain Dedication
+     along with this software (see the LICENSE.md file). If not, see
+     <https://creativecommons.org/publicdomain/zero/1.0/>. -->
+
+<services xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/service-definition-3.xsd">
+
+    <!-- MCP Unified Security and Audit Services -->
+    
+    <service verb="create" noun="McpSession" authenticate="false" transaction-timeout="30">
+        <description>Create a new MCP session using Moqui's Visit entity</description>
+        <in-parameters>
+            <parameter name="username" type="text-medium" required="true"/>
+            <parameter name="password" type="text-medium" required="true"/>
+            <parameter name="clientInfo" type="text-long"/>
+            <parameter name="ipAddress" type="text-short"/>
+            <parameter name="userAgent" type="text-medium"/>
+        </in-parameters>
+        <out-parameters>
+            <parameter name="visitId" type="id"/>
+            <parameter name="contextToken" type="text-medium"/>
+            <parameter name="userAccountId" type="id"/>
+            <parameter name="success" type="text-indicator"/>
+            <parameter name="errorMessage" type="text-long"/>
+        </out-parameters>
+        <actions>
+            <script><![CDATA[
+                import org.moqui.context.ExecutionContext
+                import java.util.UUID
+                
+                ExecutionContext ec = context.ec
+                
+                // Authenticate user
+                def userAccount = ec.entity.find("moqui.security.UserAccount")
+                    .condition("username", username)
+                    .one()
+                
+                if (!userAccount) {
+                    success = "N"
+                    errorMessage = "Invalid username or password"
+                    return
+                }
+                
+                // Verify password using Moqui's password service
+                try {
+                    def authResult = ec.service.sync("org.moqui.security.UserServices.authenticate#User", [
+                        username: username,
+                        password: password
+                    ])
+                    
+                    if (!authResult.authenticated) {
+                        success = "N"
+                        errorMessage = "Invalid username or password"
+                        return
+                    }
+                } catch (Exception e) {
+                    success = "N"
+                    errorMessage = "Authentication error: ${e.message}"
+                    return
+                }
+                
+                // Create Visit record (Moqui's native session tracking)
+                def visit = ec.entity.makeValue("moqui.server.Visit")
+                visit.setSequencedIdPrimary()
+                visit.userId = userAccount.userAccountId
+                visit.userCreated = "N"
+                visit.sessionId = UUID.randomUUID().toString()
+                visit.webappName = "mcp-2"
+                visit.initialLocale = ec.user.locale.toString()
+                visit.initialRequest = "MCP Session Creation"
+                visit.initialUserAgent = userAgent
+                visit.clientIpAddress = ipAddress
+                visit.fromDate = ec.user.now
+                
+                // Add MCP-specific fields
+                visit.mcpContextToken = UUID.randomUUID().toString()
+                visit.mcpStatusId = "McsActive"
+                visit.mcpExpiresDate = new Date(ec.user.now.time + (24 * 60 * 60 * 1000)) // 24 hours
+                visit.mcpClientInfo = clientInfo
+                
+                visit.create()
+                
+                visitId = visit.visitId
+                contextToken = visit.mcpContextToken
+                userAccountId = userAccount.userAccountId
+                success = "Y"
+                
+                // Log session creation via ArtifactHit
+                ec.message.addMessage("MCP session created for user ${username}", "info")
+            ]]></script>
+        </actions>
+    </service>
+
+    <service verb="validate" noun="McpSession" authenticate="false" transaction-timeout="30">
+        <description>Validate MCP session using Visit entity</description>
+        <in-parameters>
+            <parameter name="visitId" type="id" required="true"/>
+            <parameter name="contextToken" type="text-medium" required="true"/>
+        </in-parameters>
+        <out-parameters>
+            <parameter name="valid" type="text-indicator"/>
+            <parameter name="userAccountId" type="id"/>
+            <parameter name="errorMessage" type="text-long"/>
+        </out-parameters>
+        <actions>
+            <script><![CDATA[
+                import org.moqui.context.ExecutionContext
+                
+                ExecutionContext ec = context.ec
+                
+                def visit = ec.entity.find("moqui.server.Visit")
+                    .condition("visitId", visitId)
+                    .condition("mcpContextToken", contextToken)
+                    .condition("mcpStatusId", "McsActive")
+                    .one()
+                
+                if (!visit) {
+                    valid = "N"
+                    errorMessage = "Invalid or expired session"
+                    return
+                }
+                
+                // Check if session has expired
+                if (visit.mcpExpiresDate && visit.mcpExpiresDate.before(ec.user.now)) {
+                    // Mark as expired
+                    visit.mcpStatusId = "McsExpired"
+                    visit.thruDate = ec.user.now
+                    visit.update()
+                    
+                    valid = "N"
+                    errorMessage = "Session expired"
+                    return
+                }
+                
+                // Update Visit thruDate (acts as last accessed)
+                visit.thruDate = ec.user.now
+                visit.update()
+                
+                valid = "Y"
+                userAccountId = visit.userId
+            ]]></script>
+        </actions>
+    </service>
+
+    <service verb="terminate" noun="McpSession" authenticate="false" transaction-timeout="30">
+        <description>Terminate MCP session using Visit entity</description>
+        <in-parameters>
+            <parameter name="visitId" type="id" required="true"/>
+            <parameter name="contextToken" type="text-medium" required="true"/>
+        </in-parameters>
+        <out-parameters>
+            <parameter name="success" type="text-indicator"/>
+            <parameter name="errorMessage" type="text-long"/>
+        </out-parameters>
+        <actions>
+            <script><![CDATA[
+                import org.moqui.context.ExecutionContext
+                
+                ExecutionContext ec = context.ec
+                
+                def visit = ec.entity.find("moqui.server.Visit")
+                    .condition("visitId", visitId)
+                    .condition("mcpContextToken", contextToken)
+                    .one()
+                
+                if (!visit) {
+                    success = "N"
+                    errorMessage = "Invalid session"
+                    return
+                }
+                
+                // Mark as terminated
+                visit.mcpStatusId = "McsTerminated"
+                visit.thruDate = ec.user.now
+                visit.update()
+                
+                success = "Y"
+                
+                // Log session termination via ArtifactHit
+                ec.message.addMessage("MCP session terminated", "info")
+            ]]></script>
+        </actions>
+    </service>
+
+
+
+    <service verb="cleanup" noun="ExpiredSessions" authenticate="true" transaction-timeout="300">
+        <description>Cleanup expired MCP sessions</description>
+        <in-parameters>
+            <parameter name="dryRun" type="text-indicator" default="N"/>
+        </in-parameters>
+        <out-parameters>
+            <parameter name="expiredCount" type="number-integer"/>
+            <parameter name="cleanedCount" type="number-integer"/>
+        </out-parameters>
+        <actions>
+            <script><![CDATA[
+                import org.moqui.context.ExecutionContext
+                
+                ExecutionContext ec = context.ec
+                
+                // Find expired MCP sessions
+                def expiredVisits = ec.entity.find("moqui.server.Visit")
+                    .condition("mcpStatusId", "McsActive")
+                    .condition("mcpExpiresDate", ec.user.now, "less-than")
+                    .list()
+                
+                expiredCount = expiredVisits.size()
+                cleanedCount = 0
+                
+                if (dryRun != "Y") {
+                    for (visit in expiredVisits) {
+                        visit.mcpStatusId = "McsExpired"
+                        visit.thruDate = ec.user.now
+                        visit.update()
+                        cleanedCount++
+                        
+                        // Log session expiration via ArtifactHit
+                        ec.message.addMessage("MCP session expired during cleanup", "info")
+                    }
+                }
+            ]]></script>
+        </actions>
+    </service>
+
+</services>
\ No newline at end of file

+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This software is in the public domain under CC0 1.0 Universal plus a 
+     Grant of Patent License.
+
+     To the extent possible under law, the author(s) have dedicated all
+     copyright and related and neighboring rights to this software to the
+     public domain worldwide. This software is distributed without any warranty.
+
+     You should have received a copy of the CC0 Public Domain Dedication
+     along with this software (see the LICENSE.md file). If not, see
+     <https://creativecommons.org/publicdomain/zero/1.0/>. -->
+
+<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+          xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/rest-api-3.xsd"
+          name="mcp-2" displayName="MCP v2 REST API" version="2.0.0"
+          description="Model Context Protocol (MCP) v2 server endpoints for AI-Moqui integration">
+
+    <!-- MCP Session Management -->
+    
+    <resource name="session" description="MCP Session Management">
+        <method type="post" json-request="true">
+            <description>Create new MCP session</description>
+            <service name="org.moqui.mcp.McpSecurityServices.create#McpSession"/>
+            <parameter-map>
+                <parameter field-name="username" required="true"/>
+                <parameter field-name="password" required="true"/>
+                <parameter field-name="clientInfo"/>
+                <parameter field-name="ipAddress"/>
+                <parameter field-name="userAgent"/>
+            </parameter-map>
+        </method>
+        
+        <id name="visitId">
+            <method type="post" json-request="true">
+                <description>Validate MCP session</description>
+                <service name="org.moqui.mcp.McpSecurityServices.validate#McpSession"/>
+                <parameter-map>
+                    <parameter field-name="visitId" from="uri-path"/>
+                    <parameter field-name="contextToken" required="true"/>
+                </parameter-map>
+            </method>
+            
+            <resource name="terminate">
+                <method type="post" json-request="true">
+                    <description>Terminate MCP session</description>
+                    <service name="org.moqui.mcp.McpSecurityServices.terminate#McpSession"/>
+                    <parameter-map>
+                        <parameter field-name="visitId" from="uri-path"/>
+                        <parameter field-name="contextToken" required="true"/>
+                    </parameter-map>
+                </method>
+            </resource>
+        </id>
+    </resource>
+
+    <!-- MCP Tool Discovery -->
+    
+    <resource name="tools" description="MCP Tool Discovery and Execution">
+        <resource name="discover">
+            <method type="post" json-request="true">
+                <description>Discover available MCP tools</description>
+                <service name="org.moqui.mcp.McpDiscoveryServices.discover#McpTools"/>
+                <parameter-map>
+                    <parameter field-name="userAccountId" required="true"/>
+                    <parameter field-name="visitId"/>
+                    <parameter field-name="servicePattern"/>
+                    <parameter field-name="packageName"/>
+                    <parameter field-name="verb"/>
+                    <parameter field-name="noun"/>
+                    <parameter field-name="includeParameters"/>
+                </parameter-map>
+            </method>
+        </resource>
+        
+        <resource name="validate">
+            <method type="post" json-request="true">
+                <description>Validate access to specific MCP tools</description>
+                <service name="org.moqui.mcp.McpDiscoveryServices.validate#McpToolAccess"/>
+                <parameter-map>
+                    <parameter field-name="userAccountId" required="true"/>
+                    <parameter field-name="serviceNames" required="true"/>
+                    <parameter field-name="visitId"/>
+                </parameter-map>
+            </method>
+        </resource>
+        
+        <method type="post" json-request="true">
+            <description>Execute MCP tool (service)</description>
+            <service name="org.moqui.mcp.McpExecutionServices.execute#McpTool"/>
+            <parameter-map>
+                <parameter field-name="sessionId" required="true"/>
+                <parameter field-name="contextToken" required="true"/>
+                <parameter field-name="serviceName" required="true"/>
+                <parameter field-name="parameters" required="true"/>
+                <parameter field-name="toolCallId"/>
+            </parameter-map>
+        </method>
+        
+        <resource name="entity">
+            <resource name="query">
+                <method type="post" json-request="true">
+                    <description>Execute entity query as MCP tool</description>
+                    <service name="org.moqui.mcp.McpExecutionServices.execute#EntityQuery"/>
+                    <parameter-map>
+                        <parameter field-name="sessionId" required="true"/>
+                        <parameter field-name="contextToken" required="true"/>
+                        <parameter field-name="serviceName" required="true"/>
+                        <parameter field-name="parameters" required="true"/>
+                        <parameter field-name="toolCallId"/>
+                    </parameter-map>
+                </method>
+            </resource>
+        </resource>
+    </resource>
+
+    <!-- MCP Health Check -->
+    
+    <resource name="health" description="MCP Server Health Check">
+        <method type="get">
+            <actions>
+                <script><![CDATA[
+                    import groovy.json.JsonBuilder
+                    
+                    def health = [
+                        status: "healthy",
+                        timestamp: ec.user.now,
+                        version: "2.0.0-MVP",
+                        server: "Moqui MCP Server v2",
+                        endpoints: [
+                            "POST /session - Create session",
+                            "POST /session/{visitId}/validate - Validate session", 
+                            "POST /session/{visitId}/terminate - Terminate session",
+                            "POST /tools/discover - Discover tools",
+                            "POST /tools/validate - Validate tool access",
+                            "POST /tools/execute - Execute service tool",
+                            "POST /tools/entity/query - Execute entity query",
+                            "GET /health - Health check"
+                        ]
+                    ]
+                    
+                    response = new JsonBuilder(health).toString()
+                ]]></script>
+            </actions>
+        </method>
+    </resource>
+
+</resource>
\ No newline at end of file

+<!DOCTYPE html>
+<html>
+<head>
+    <title>Moqui MCP Server v2</title>
+    <style>
+        body { font-family: Arial, sans-serif; margin: 40px; }
+        .header { color: #2c3e50; border-bottom: 2px solid #3498db; padding-bottom: 10px; }
+        .endpoint { background: #f8f9fa; padding: 10px; margin: 5px 0; border-radius: 5px; }
+        .method { color: #28a745; font-weight: bold; }
+        .path { font-family: monospace; background: #e9ecef; padding: 2px 5px; }
+    </style>
+</head>
+<body>
+    <h1 class="header">Moqui MCP Server v2 (MVP)</h1>
+    
+    <h2>Server Information</h2>
+    <p><strong>Version:</strong> 2.0.0-MVP</p>
+    <p><strong>Status:</strong> Active</p>
+    <p><strong>Description:</strong> Simplified MCP server using Moqui's native service engine</p>
+    
+    <h2>Available Endpoints</h2>
+    
+    <div class="endpoint">
+        <span class="method">POST</span> <span class="path">/session</span><br>
+        <strong>Description:</strong> Create new MCP session<br>
+        <strong>Required:</strong> username, password<br>
+        <strong>Optional:</strong> clientInfo, ipAddress, userAgent
+    </div>
+    
+    <div class="endpoint">
+        <span class="method">POST</span> <span class="path">/session/{sessionId}/validate</span><br>
+        <strong>Description:</strong> Validate MCP session<br>
+        <strong>Required:</strong> contextToken
+    </div>
+    
+    <div class="endpoint">
+        <span class="method">POST</span> <span class="path">/session/{sessionId}/terminate</span><br>
+        <strong>Description:</strong> Terminate MCP session<br>
+        <strong>Required:</strong> contextToken
+    </div>
+    
+    <div class="endpoint">
+        <span class="method">POST</span> <span class="path">/tools/discover</span><br>
+        <strong>Description:</strong> Discover available MCP tools<br>
+        <strong>Required:</strong> userAccountId<br>
+        <strong>Optional:</strong> sessionId, servicePattern, packageName, verb, noun, includeParameters
+    </div>
+    
+    <div class="endpoint">
+        <span class="method">POST</span> <span class="path">/tools/validate</span><br>
+        <strong>Description:</strong> Validate access to specific MCP tools<br>
+        <strong>Required:</strong> userAccountId, serviceNames<br>
+        <strong>Optional:</strong> sessionId
+    </div>
+    
+    <div class="endpoint">
+        <span class="method">POST</span> <span class="path">/tools/execute</span><br>
+        <strong>Description:</strong> Execute MCP tool (service)<br>
+        <strong>Required:</strong> sessionId, serviceName, parameters<br>
+        <strong>Optional:</strong> toolCallId
+    </div>
+    
+    <div class="endpoint">
+        <span class="method">POST</span> <span class="path">/tools/entity/query</span><br>
+        <strong>Description:</strong> Execute entity query as MCP tool<br>
+        <strong>Required:</strong> sessionId, entityName<br>
+        <strong>Optional:</strong> queryType, conditions, orderBy, limit, offset, toolCallId
+    </div>
+    
+    <div class="endpoint">
+        <span class="method">GET</span> <span class="path">/health</span><br>
+        <strong>Description:</strong> Server health check
+    </div>
+    
+    <h2>Key Features</h2>
+    <ul>
+        <li><strong>Native Service Engine:</strong> Uses Moqui's service engine directly (no registry)</li>
+        <li><strong>Dynamic Tool Discovery:</strong> Tools = services user has permission to execute</li>
+        <li><strong>Unified Security:</strong> Single permission validation using UserGroupPermission</li>
+        <li><strong>Audit Logging:</strong> Complete audit trail of all operations</li>
+        <li><strong>Session Management:</strong> Secure session handling with expiration</li>
+    </ul>
+    
+    <h2>Usage Example</h2>
+    <pre>
+# 1. Create session
+curl -X POST http://localhost:8080/mcp-2/session \
+  -H "Content-Type: application/json" \
+  -d '{"username": "admin", "password": "admin"}'
+
+# 2. Discover tools
+curl -X POST http://localhost:8080/mcp-2/tools/discover \
+  -H "Content-Type: application/json" \
+  -d '{"userAccountId": "ADMIN", "sessionId": "YOUR_SESSION_ID"}'
+
+# 3. Execute tool
+curl -X POST http://localhost:8080/mcp-2/tools/execute \
+  -H "Content-Type: application/json" \
+  -d '{
+    "sessionId": "YOUR_SESSION_ID",
+    "serviceName": "org.moqui.entity.EntityServices.find#Entity",
+    "parameters": {"entityName": "moqui.security.UserAccount"}
+  }'
+    </pre>
+</body>
+</html>
\ No newline at end of file