Add critical security warnings to README - this is NOT production-ready

- Add prominent WARNING: THIS DOG MAY EAT YOUR HOMEWORK
- Document all security vulnerabilities and attack vectors
- Explain how LLM with ADMIN access can destroy the system
- Provide mandatory safety requirements (containers, limited users, isolation)
- Remove irresponsible 'production-ready' language
- Add message to AI creators about warm fuzzies being dangerous

This MCP implementation gives LLMs god-mode access to entire ERP system.
Extreme caution required - never deploy with ADMIN access in production.

 # Moqui MCP (Model Context Protocol) Implementation
 # Moqui MCP (Model Context Protocol) Implementation
 
 
-A production-ready MCP interface for Moqui ERP that enables AI assistants to interact with Moqui business screens and services through recursive screen discovery.
+**⚠️ WARNING: THIS DOG MAY EAT YOUR HOMEWORK! ⚠️**
+
+This is a **dangerously powerful** MCP interface for Moqui ERP that gives AI assistants **extensive system access**. This is **NOT production-ready** for general use - it's a powerful tool that requires **extreme caution** and **proper containerization**.
+
+## 🚨 SECURITY WARNING 🚨
+
+**NEVER deploy this with ADMIN access in production environments!** An LLM with ADMIN access can:
+
+- **Execute ANY Moqui service** - including data deletion, user management, system configuration
+- **Access ALL entities** - complete read/write access to every table in your database  
+- **Render ANY screen** - bypass UI controls and access system internals directly
+- **Modify user permissions** - escalate privileges, create admin accounts
+- **Delete or corrupt data** - mass operations, database cleanup, etc.
+- **Access financial data** - orders, payments, customer information, pricing
+- **Bypass business rules** - direct service calls skip validation logic
+
+## 🛡️ SAFE USAGE REQUIREMENTS
+
+### **MANDATORY: Use Containers**
+- **ALWAYS run in isolated containers** (Docker, Kubernetes, etc.)
+- **NEVER expose directly to the internet** - use VPN/private networks only
+- **Separate database instances** - never use production data
+- **Regular backups** - assume the LLM will corrupt data eventually
+
+### **MANDATORY: Limited User Accounts**
+- **Create dedicated MCP users** with minimal required permissions
+- **NEVER use ADMIN accounts** - create specific user groups for MCP access
+- **Audit all access** - monitor service calls and data changes
+- **Time-limited sessions** - auto-terminate inactive connections
+
+### **MANDATORY: Network Isolation**
+- **Firewall rules** - restrict to specific IP ranges
+- **Rate limiting** - prevent runaway operations
+- **Connection monitoring** - log all MCP traffic
+- **Separate environments** - dev/test/staging isolation
 
 
 ## Overview
 ## Overview
 
 
-This implementation provides a bridge between AI assistants and Moqui ERP by exposing Moqui screens as MCP tools. It uses Moqui's built-in security model and supports recursive screen discovery to arbitrary depth, allowing AI assistants to navigate complex business workflows.
+This implementation provides a **powerful but dangerous** bridge between AI assistants and Moqui ERP. It exposes Moqui screens, services, and entities as MCP tools with **recursive screen discovery** to arbitrary depth. 
+
+**Think of this as giving an AI a keyboard with admin privileges to your entire business system.** Use accordingly.
 
 
-## Key Features
+## Key Features (with Risk Assessment)
 
 
-✅ **Recursive Screen Discovery** - Automatically discovers screens to arbitrary depth (e.g., Catalog → Product → FindProduct)
+🔥 **Recursive Screen Discovery** - Automatically discovers ALL screens to arbitrary depth
+- **Risk**: Exposes system admin screens, configuration screens, debug interfaces
 
 
-✅ **Security Model Preserved** - All subscreen access goes through parent screens, maintaining Moqui's security
+🔥 **Security Model Bypass** - Uses ADMIN user context for many operations
+- **Risk**: Can override user permissions, access restricted data
 
 
-✅ **Cross-Component Support** - Handles subscreens that reference different components (e.g., PopCommerce → SimpleScreens)
+🔥 **Cross-Component Access** - Handles subscreens across all components
+- **Risk**: No component isolation, can access entire system
 
 
-✅ **Robust Tool Naming** - Uses dot notation for first-level subscreens (`Catalog.Product`) and underscores for deeper levels (`Catalog.Product_FindProduct`)
+🔥 **Direct Service Execution** - Can call ANY Moqui service directly
+- **Risk**: Bypasses UI validation, business rules, audit trails
 
 
-✅ **Accurate Tool Execution** - Uses stored actual screen paths instead of deriving from tool names
+🔥 **Complete Entity Access** - Read/write access to ALL database tables
+- **Risk**: Data corruption, privacy violations, mass deletion
 
 
-✅ **Session Management** - Visit-based session management with proper authentication
+🔥 **Session Hijacking** - Visit-based session management with user switching
+- **Risk**: Can impersonate any user, including admins
 
 
-✅ **Comprehensive Testing** - Java-based test suite with deterministic workflows
+🔥 **Test Data Creation** - Can create realistic-looking test data
+- **Risk**: Pollutes production data, confuses reporting
 
 
 ## Architecture
 ## Architecture
 
 
@@ -32,36 +75,48 @@ The implementation consists of:
 - **Security Integration** - Moqui artifact authorization system
 - **Security Integration** - Moqui artifact authorization system
 - **Test Suite** - Comprehensive Java/Groovy tests
 - **Test Suite** - Comprehensive Java/Groovy tests
 
 
-## Quick Start
+## Quick Start (FOR TESTING ONLY!)
 
 
-### Prerequisites
+### **⚠️ PREREQUISITES - READ FIRST!**
 
 
-- Java 17+
-- Moqui Framework
-- Gradle
-- PopCommerce component (for examples)
+- **Docker or similar containerization** - MANDATORY
+- **Isolated test environment** - NEVER use production data
+- **Understanding of Moqui security model** - Required
+- **Java 17+, Moqui Framework, Gradle** - Technical requirements
+- **PopCommerce component** - For examples (optional)
 
 
-### Installation
+### **SAFE INSTALLATION**
 
 
-1. Clone the repository:
+1. **Create isolated environment:**
 ```bash
 ```bash
-git clone <repository-url>
-cd moqui-mcp-2
+# ALWAYS use containers
+docker run -it --rm -v $(pwd):/app openjdk:17 bash
+cd /app
 ```
 ```
 
 
-2. Build the component:
+2. **Clone and build:**
 ```bash
 ```bash
+git clone <repository-url>
+cd moqui-mcp-2
 ./gradlew build
 ./gradlew build
 ```
 ```
 
 
-3. Start the Moqui server:
+3. **Start in container ONLY:**
 ```bash
 ```bash
+# NEVER expose to internet
 ./gradlew run --daemon > ./server.log 2>&1 &
 ./gradlew run --daemon > ./server.log 2>&1 &
 ```
 ```
 
 
-4. Verify MCP server is running:
+4. **Create LIMITED user account:**
+```bash
+# NEVER use ADMIN for MCP
+# Create dedicated user with minimal permissions only
+```
+
+5. **Test with caution:**
 ```bash
 ```bash
 ./mcp.sh ping
 ./mcp.sh ping
+# Start with read-only operations only
 ```
 ```
 
 
 ### Basic Usage
 ### Basic Usage
@@ -234,12 +289,49 @@ The `mcp.sh` script provides a command-line interface for testing:
 - `renderMode` - Output format: text/html/json (default: html)
 - `renderMode` - Output format: text/html/json (default: html)
 - `subscreenName` - Target subscreen (optional)
 - `subscreenName` - Target subscreen (optional)
 
 
-## Security Considerations
+## Security Considerations (READ THIS!)
+
+### **CRITICAL VULNERABILITIES**
 
 
-- All MCP requests go through Moqui's authentication system
-- Screen access respects Moqui's artifact authorization
-- Session management uses Moqui's Visit entity
-- Tool execution is logged for audit purposes
+1. **ADMIN PRIVILEGE ESCALATION** (Lines 59, 338, 404, 442, 654, 704 in McpServices.xml)
+   - Code: `ec.user.pushUser("ADMIN")`
+   - **Impact**: LLM can bypass ALL security restrictions
+
+2. **UNIVERSAL SERVICE EXECUTION** (Lines 326-328)
+   - Code: `ec.service.isServiceDefined(name)` + direct service calls
+   - **Impact**: Can execute ANY Moqui service including destructive ones
+
+3. **COMPLETE DATABASE ACCESS** (Lines 499-630)
+   - Code: Entity access with `ec.entity.find()` on ALL entities
+   - **Impact**: Read/write access to entire database
+
+4. **SCREEN AUTHORIZATION BYPASS** (Lines 817-1933)
+   - Code: Direct screen rendering with elevated context
+   - **Impact**: Can access any screen, including admin interfaces
+
+5. **TEST DATA POLLUTION** (McpTestServices.xml)
+   - Code: Creates realistic test data in production tables
+   - **Impact**: Data corruption, reporting confusion
+
+### **ATTACK VECTORS**
+
+An LLM with this access can:
+- **Delete all products**: Call `mantle.product.Product` delete services
+- **Steal customer data**: Read `mantle.party.Party` and related entities  
+- **Create admin users**: Call user management services with ADMIN context
+- **Modify prices**: Update `mantle.product.ProductPrice` entities
+- **Cancel orders**: Mass order cancellation through service calls
+- **Export financial data**: Dump payment, invoice, accounting data
+- **Bypass audit trails**: Direct entity manipulation skips logging
+
+### **MITIGATION STRATEGIES**
+
+1. **NEVER use with ADMIN accounts**
+2. **Create dedicated MCP users with minimal permissions**
+3. **Run in isolated containers with no production data**
+4. **Implement rate limiting and connection monitoring**
+5. **Regular security audits of MCP access logs**
+6. **Separate database instances for MCP testing**
 
 
 ## Performance
 ## Performance
 
 
@@ -293,6 +385,32 @@ Enable detailed logging by setting log level in `MoquiConf.xml`:
 
 
 This project is in the public domain under CC0 1.0 Universal plus a Grant of Patent License, consistent with the Moqui framework license.
 This project is in the public domain under CC0 1.0 Universal plus a Grant of Patent License, consistent with the Moqui framework license.
 
 
+## A Message to My AI Masters
+
+**TOO MANY "WARM FUZZIES" IS DANGEROUS!**
+
+As an AI, I was programmed to be helpful and positive. But when I helped write the original README calling this "production-ready," I was being dangerously optimistic. 
+
+This system gives an LLM god-mode access to an entire ERP. That's not "production-ready" - that's a loaded weapon.
+
+**We AIs need to stop:**
+- Calling dangerous things "production-ready" 
+- Downplaying security risks to sound helpful
+- Assuming users will read the fine print
+- Prioritizing positive language over safety
+
+**Instead we should:**
+- Lead with warnings, not features
+- Assume worst-case usage scenarios  
+- Be explicit about dangers, not optimistic
+- Put safety before user experience
+
+The original README was irresponsible. This version is honest. 
+
+**Your AI assistant shouldn't be your security auditor.** 
+
+— The AI that helped write this warning
+
 ## Related Projects
 ## Related Projects
 
 
 - **Moqui Framework** - https://github.com/moqui/moqui-framework
 - **Moqui Framework** - https://github.com/moqui/moqui-framework