EC-CUBE · dotani1111 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 8, 2026
diff --git a/app/config/eccube/bundles.php b/app/config/eccube/bundles.php
@@ -27,4 +27,5 @@
     DAMA\DoctrineTestBundle\DAMADoctrineTestBundle::class => ['test' => true],
     Twig\Extra\TwigExtraBundle\TwigExtraBundle::class => ['all' => true],
     Eccube\EccubeBundle::class => ['all' => true],
+    Symfony\AI\McpBundle\McpBundle::class => ['all' => true],
 ];
diff --git a/app/config/eccube/packages/dev/monolog.yml b/app/config/eccube/packages/dev/monolog.yml
@@ -6,6 +6,8 @@ monolog:
             level: debug
             formatter: eccube.log.formatter.line
             max_files: 10
+            # mcp は専用ハンドラ (mcp) に出すため main(site.log) からは除外する
+            channels: ['!mcp']
         console:
             type: console
             process_psr_3_messages: false

diff --git a/app/config/eccube/packages/http_discovery.yaml b/app/config/eccube/packages/http_discovery.yaml
@@ -0,0 +1,10 @@
+services:
+    Psr\Http\Message\RequestFactoryInterface: '@http_discovery.psr17_factory'
+    Psr\Http\Message\ResponseFactoryInterface: '@http_discovery.psr17_factory'
+    Psr\Http\Message\ServerRequestFactoryInterface: '@http_discovery.psr17_factory'
+    Psr\Http\Message\StreamFactoryInterface: '@http_discovery.psr17_factory'
+    Psr\Http\Message\UploadedFileFactoryInterface: '@http_discovery.psr17_factory'
+    Psr\Http\Message\UriFactoryInterface: '@http_discovery.psr17_factory'
+
+    http_discovery.psr17_factory:
+        class: Http\Discovery\Psr17Factory
diff --git a/app/config/eccube/packages/mcp.yaml b/app/config/eccube/packages/mcp.yaml
@@ -0,0 +1,14 @@
+mcp:
+    app: 'EC-CUBE MCP Server'
+    version: '4.4.0'
+    description: 'EC-CUBE 4.4 の管理データ (商品/在庫・注文・顧客会員・プラグイン管理) を AI クライアントから自然言語で参照する読み取り専用 MCP サーバ。 認証認可は API プラグイン (api44) の OAuth2 / scope に委譲する。'
+    client_transports:
+        http: true
+        stdio: true
+    http:
+        path: '/%eccube_admin_route%/mcp'
+        session:
+            store: file
+    discovery:
+        scan_dirs:
+            - src/Eccube/Service/Mcp/Tool
diff --git a/app/config/eccube/packages/mcp_rate_limiter.yaml b/app/config/eccube/packages/mcp_rate_limiter.yaml
@@ -0,0 +1,19 @@
+# MCP サーバの Rate Limiter 設定 (設計 §5「Rate Limiter 連携」)。
+#
+# 2 段構成:
+#   - mcp_ip:     リモート IP 単位の制限 (firewall 前で消費、 認証エラー連発攻撃にも効く)
+#   - mcp_client: OAuth2 client_id 単位の制限 (firewall 通過後の OAuth2Token から client_id を取得して消費)
+#
+# 既定値は PoC レベルの控えめな値。 GA 運用開始時に再評価する。
+framework:
+    rate_limiter:
+        mcp_ip:
+            policy: fixed_window
+            limit: 60
+            interval: '1 minute'
+            cache_pool: rate_limiter.cache
+        mcp_client:
+            policy: fixed_window
+            limit: 300
+            interval: '1 minute'
+            cache_pool: rate_limiter.cache
diff --git a/app/config/eccube/packages/monolog.yml b/app/config/eccube/packages/monolog.yml
@@ -1,2 +1,14 @@
 monolog:
-    channels: ['front', 'admin']
+    channels: ['front', 'admin', 'mcp']
+    handlers:
+        # MCP 監査ログ: PII を含み得るため site.log と分離した専用ファイルに、 1 レコード 1 JSON で出力する。
+        # fingers_crossed を挟まず info から常時書き出す (監査記録は error 連動で握り潰してはならない)。
+        # 保管日数は ECCUBE_MCP_LOG_RETENTION_DAYS (既定 90)。 ファイルは所有者/グループのみ読める権限にする。
+        mcp:
+            type: rotating_file
+            path: '%kernel.logs_dir%/%kernel.environment%/mcp.log'
+            channels: ['mcp']
+            level: info
+            formatter: eccube.mcp.log.formatter.json
+            max_files: '%env(int:ECCUBE_MCP_LOG_RETENTION_DAYS)%'
+            file_permission: 0640
diff --git a/app/config/eccube/packages/prod/monolog.yml b/app/config/eccube/packages/prod/monolog.yml
@@ -8,7 +8,8 @@ monolog:
             handler: main_rotating_file
             excluded_http_codes: [404, 405]
             buffer_size: 50
-            channels: ['!doctrine', '!event', '!php']
+            # mcp は専用ハンドラ (mcp) に出すため main(site.log) からは除外する
+            channels: ['!doctrine', '!event', '!php', '!mcp']
         main_rotating_file:
             type: rotating_file
             max_files: 60

diff --git a/app/config/eccube/routes.yaml b/app/config/eccube/routes.yaml
@@ -4,6 +4,9 @@ controllers:
 customize_controllers:
     resource: ../../../app/Customize/Controller
     type: attribute
+mcp:
+    resource: .
+    type: mcp
 
 #    prefix: /{_locale}
     # prefix: /

diff --git a/app/config/eccube/services.yaml b/app/config/eccube/services.yaml
@@ -8,6 +8,9 @@ parameters:
     env(ECCUBE_LOCALE): 'ja'
     env(ECCUBE_TIMEZONE): 'Asia/Tokyo'
     env(ECCUBE_CURRENCY): 'JPY'
+    env(ECCUBE_MCP_ALLOWED_ORIGINS): ''
+    # MCP 監査ログ (mcp.log) の保管日数 (rotating_file の世代数)。 設計 §4.2
+    env(ECCUBE_MCP_LOG_RETENTION_DAYS): '90'
     locale: '%env(ECCUBE_LOCALE)%'
     timezone: '%env(ECCUBE_TIMEZONE)%'
     currency: '%env(ECCUBE_CURRENCY)%'
@@ -28,6 +31,9 @@ services:
           $shoppingPurchaseFlow: '@eccube.purchase.flow.shopping'
           $orderPurchaseFlow: '@eccube.purchase.flow.order'
           $_orderStateMachine: '@state_machine.order'
+          # MCP サーバ用 (path prefix と Origin 許可リスト)
+          $eccubeAdminRoute: '%eccube_admin_route%'
+          $mcpAllowedOriginsCsv: '%env(ECCUBE_MCP_ALLOWED_ORIGINS)%'
 
     # makes classes in src/ available to be used as services
     # this creates a service per class whose id is the fully-qualified class name
@@ -215,6 +221,25 @@ services:
     Eccube\EventListener\RateLimiterListener:
         arguments: [ !tagged_locator { tag: 'eccube_rate_limiter' } ]
 
+    # MCP: Api44 (ec-cube/api44) の allow_list (`eccube.api.allow_list` タグ) を集約する
+    Eccube\Service\Mcp\AllowListResolver:
+        arguments:
+            $allowLists: !tagged_iterator eccube.api.allow_list
+
+    # MCP: scope 強制層。 $inner (本物の Tool 実行器) は McpScopeEnforcementPass が構築する
+    Eccube\Service\Mcp\ScopeEnforcingReferenceHandler:
+        arguments:
+            $inner: '@eccube.mcp.reference_handler.inner'
+
+    # MCP: 監査ログとして記録するため、唯一の書き手として設定します。
+    Eccube\Service\Mcp\McpAuditLogger:
+        arguments:
+            $mcpLogger: '@monolog.logger.mcp'
+
+    # MCP: 監査ログ (mcp.log) は 1 レコード 1 JSON で出力する (機械可読・設計 §4.2)
+    eccube.mcp.log.formatter.json:
+        class: Monolog\Formatter\JsonFormatter
+
     Eccube\Security\PasswordHasher\PasswordHasher:
         arguments:
             - '%eccube_auth_magic%'

diff --git a/codeception/_data/plugins/Bundle-1.0.0/DependencyInjection/Compiler/BundleCompilerPass.php b/codeception/_data/plugins/Bundle-1.0.0/DependencyInjection/Compiler/BundleCompilerPass.php
@@ -13,6 +13,7 @@
 
 namespace Plugin\Bundle\DependencyInjection\Compiler;
 
+use League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener;
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 
@@ -22,8 +23,8 @@ public function process(ContainerBuilder $container)
     {
         $plugins = $container->getParameter('eccube.plugins.enabled');
         if (!in_array('Bundle', $plugins)) {
-            if ($container->hasDefinition('League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener')) {
-                $def = $container->getDefinition('League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener');
+            if ($container->hasDefinition(AddClientDefaultScopesListener::class)) {
+                $def = $container->getDefinition(AddClientDefaultScopesListener::class);
                 $def->clearTags();
             }
         }

diff --git a/codeception/_data/plugins/Bundle-1.0.1/DependencyInjection/Compiler/BundleCompilerPass.php b/codeception/_data/plugins/Bundle-1.0.1/DependencyInjection/Compiler/BundleCompilerPass.php
@@ -13,6 +13,7 @@
 
 namespace Plugin\Bundle\DependencyInjection\Compiler;
 
+use League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener;
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 
@@ -22,8 +23,8 @@ public function process(ContainerBuilder $container)
     {
         $plugins = $container->getParameter('eccube.plugins.enabled');
         if (!in_array('Bundle', $plugins)) {
-            if ($container->hasDefinition('League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener')) {
-                $def = $container->getDefinition('League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener');
+            if ($container->hasDefinition(AddClientDefaultScopesListener::class)) {
+                $def = $container->getDefinition(AddClientDefaultScopesListener::class);
                 $def->clearTags();
             }
         }

diff --git a/composer.json b/composer.json
@@ -77,6 +77,7 @@
         "symfony/lock": "^7.4",
         "symfony/mailer": "^7.4",
         "symfony/maker-bundle": "^1.0",
+        "symfony/mcp-bundle": "^0.9",
         "symfony/monolog-bridge": "^7.4",
         "symfony/monolog-bundle": "^3.1",
         "symfony/options-resolver": "^7.4",