- 19 Nov, 2025 2 commits
-
-
- Wrap all artifactHit.update() calls with authz disable/enable - Ensures mcp-user can create and update audit records - Fixes ArtifactAuthorizationException on audit logging
Ean Schuessler committed -
- Fixed internalLoginUser calls to use single parameter signature - Implemented admin discovery with user permission filtering for tools - Added proper session validation with authz bypass for Visit entity access - Enhanced audit logging with authz handling for ArtifactHit creation - Improved pagination support for tools/list with cursor-based navigation - Added comprehensive logging for debugging MCP service interactions - Temporarily bypassed entity permission checks for testing purposes - Enhanced error handling and user context restoration throughout services Key improvements: - Tools now discovered as admin but filtered by original user permissions - Session management properly validates Visit records and tracks activity - Audit records created with proper authz handling - Better error handling and user context switching in all MCP services
Ean Schuessler committed
-
- 18 Nov, 2025 7 commits
-
-
- Add null check for params before setting sessionId - Remove references to non-existent sessionManager in destroy and other methods - This fixes the NullPointerException when processing notifications/initialized
Ean Schuessler committed -
- Replace custom McpSessionManager with Moqui's built-in Visit entity - Add sessionId parameter to all MCP services for persistent sessions - Implement admin-level authorization using ec.artifactExecution.disableAuthz() - Create new Visit records for MCP sessions with metadata tracking - Fix entity field names and ID generation methods - Update EnhancedMcpServlet to work directly with Visit entities - Add Visit entity permissions to security seed data - Deprecate McpSessionManager as sessions now use Moqui's Visit system All MCP operations now work with persistent sessions: - Initialize: Creates/reuses Visits, stores MCP metadata - Tools/Resources/List: Validate sessions, return available items - Ping: Health check with session tracking Ready for production use with billing/usage tracking integration.
Ean Schuessler committed -
Ean Schuessler committed
-
- Replace MoquiMcpServlet with EnhancedMcpServlet for better SSE handling - Add proper JSON-RPC message classes for MCP compatibility - Implement proper permission checks in ToolsList service - Remove temporary permission bypasses and test ping service - Update McpFilter to use EnhancedMcpServlet - Clean up unused dependencies and configuration files - Fix parameter type handling and required field detection
Ean Schuessler committed -
Ean Schuessler committed
-
Ean Schuessler committed
-
- Extract session management to dedicated McpSessionManager class - Add VisitBasedMcpSession for better integration with Moqui visit tracking - Implement MoquiMcpTransport for standardized MCP message handling - Improve SSE connection lifecycle management and graceful shutdown - Add session statistics and broadcast capabilities for monitoring
Ean Schuessler committed
-
- 16 Nov, 2025 1 commit
-
-
- Add multiple servlet implementations (EnhancedMcpServlet, ServiceBasedMcpServlet, MoquiMcpServlet) - Implement SSE servlet support with proper content-type handling - Add MCP filter for request processing - Add web.xml configuration for servlet deployment - Include SDK framework JAR and configuration files - Remove old screen-based MCP implementation - Update component configuration for new servlet-based approach
Ean Schuessler committed
-
- 14 Nov, 2025 6 commits
-
-
Ean Schuessler committed
-
- Add unified screen at screen/webroot/mcp.xml handling both JSON-RPC and Server-Sent Events - Implement content-type negotiation to prioritize application/json over text/event-stream - Add comprehensive session management with MCP session ID generation and validation - Fix security configuration with AT_XML_SCREEN_TRANS enum for screen transitions - Update AGENTS.md with production-ready status and complete implementation documentation - Remove redundant REST endpoints and consolidate to single screen approach - Add SSE helper functions for proper event-stream formatting - Verify all MCP protocol methods working with both response formats The unified screen architecture provides: - Single endpoint (/mcp/rpc) for all MCP protocol variations - Automatic response format selection based on Accept header - Full MCP 2025-06-18 specification compliance - Complete Moqui security framework integration - Production-ready implementation tested with opencode client
Ean Schuessler committed -
- Change response variable assignments from 'result' to 'response' to match out-parameter definition - Fix empty response body issue where opencode was receiving '{}' instead of JSON-RPC responses - Update error handling to use direct HTTP response writing for validation errors - Add comprehensive debug logging for HTTP request/response handling - Ensure MCP responses are properly serialized and returned via Moqui REST framework Resolves content-type complaints from opencode by returning properly formatted JSON-RPC responses instead of empty objects.Ean Schuessler committed -
- Remove SSE streaming support for MVP simplicity - Force JSON-RPC 2.0 responses regardless of Accept header - Simplify REST configuration to only support application/json - Clean up duplicate Accept header validation - Remove streaming response logic and headers This enables opencode connection without SSE complexity while preserving full MCP protocol functionality.
Ean Schuessler committed -
Ean Schuessler committed
-
- Implement HTTP 202 Accepted responses for notifications/responses - Add MCP-Protocol-Version and Mcp-Session-Id header support - Implement Origin header validation for DNS rebinding protection - Add Accept header validation for required content types - Fix Server-Sent Events format with proper event IDs - Add GET method support for SSE streams with resumability - Update request type detection (request vs notification vs response) - Enhance security with proper authentication and session management - Add comprehensive audit logging and error handling - Support multiple MCP protocol versions for backward compatibility This brings the moqui-mcp-2 component into full compliance with the MCP 2025-06-18 Streamable HTTP transport specification.
Ean Schuessler committed
-
- 13 Nov, 2025 2 commits
-
-
- Replace custom REST API with Moqui's native /rpc/json endpoint - Implement MCP methods as standard Moqui services with allow-remote='true' - Remove unnecessary custom layers (webapp, screens, custom JSON-RPC handler) - Direct service-to-tool mapping for maximum simplicity - Leverage Moqui's built-in authentication, permissions, and audit logging - Comprehensive client examples for Python, JavaScript, and cURL - Complete documentation with architecture overview and usage patterns Key Changes: - service/McpServices.xml: MCP methods as standard Moqui services - component.xml: Minimal configuration, no custom webapp - AGENTS.md: Updated for Moqui-centric approach - entity/, data/: Minimal extensions, leverage built-in entities - Removed: mcp.rest.xml, screen/ directory (unnecessary complexity) This demonstrates the power of Moqui's built-in JSON-RPC support for clean, maintainable MCP integration.
Ean Schuessler committed -
Ean Schuessler committed
-
