diff --git a/.gitignore b/.gitignore
index 52dcccb2915..8338e814354 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,9 @@ node_modules
 !/app/Plugin/.gitkeep
 /app/PluginData/*
 !/app/PluginData/.gitkeep
+/app/keystore/*
+!/app/keystore/.gitkeep
+!/app/keystore/.htaccess
 /app/template/*
 !/app/template/admin
 !/app/template/default
diff --git a/.htaccess b/.htaccess
index 4439047aca8..015024cf20f 100644
--- a/.htaccess
+++ b/.htaccess
@@ -12,7 +12,7 @@ DirectoryIndex index.php index.html .ht
     Allow from all
 </FilesMatch>
 
-<FilesMatch "^composer|^COPYING|^\.env|^\.maintenance|^Procfile|^app\.json|^gulpfile\.js|^package\.json|^package-lock\.json|web\.config|^Dockerfile|^\.editorconfig|\.(ini|lock|dist|git|sh|bak|swp|env|twig|yml|yaml|dockerignore|sample)$">
+<FilesMatch "^composer|^COPYING|^\.env|^\.maintenance|^Procfile|^app\.json|^gulpfile\.js|^package\.json|^package-lock\.json|web\.config|^Dockerfile|^\.editorconfig|\.(ini|lock|dist|git|sh|bak|swp|env|twig|yml|yaml|dockerignore|sample|key)$">
     order allow,deny
     deny from all
 </FilesMatch>
diff --git a/app/DoctrineMigrations/Version20260604120000.php b/app/DoctrineMigrations/Version20260604120000.php
new file mode 100644
index 00000000000..74274ee06bb
--- /dev/null
+++ b/app/DoctrineMigrations/Version20260604120000.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * mtb_country_iso_code (ISO 3166-1 numeric -> alpha-2) の初期データを投入する.
+ *
+ * テーブル自体は doctrine:schema:update でエンティティから生成される。
+ * 新規インストールは import_csv (definition.yml) で投入されるため、
+ * 本マイグレーションは既存インストールのアップグレード時の backfill を担う
+ * (空テーブルのときのみ INSERT する冪等実装)。
+ */
+final class Version20260604120000 extends AbstractMigration
+{
+    public const NAME = 'mtb_country_iso_code';
+
+    public function up(Schema $schema): void
+    {
+        if (!$schema->hasTable(self::NAME)) {
+            return;
+        }
+
+        // 既にデータがある場合 (新規インストールの fixtures 投入済み等) は二重投入しない.
+        $count = $this->connection->fetchOne('SELECT COUNT(*) FROM '.self::NAME);
+        if ($count > 0) {
+            return;
+        }
+
+        $this->addSql("INSERT INTO mtb_country_iso_code (id, name, sort_no, discriminator_type) VALUES (352, 'IS', 1, 'countryisocode'), (372, 'IE', 2, 'countryisocode'), (31, 'AZ', 3, 'countryisocode'), (4, 'AF', 4, 'countryisocode'), (840, 'US', 5, 'countryisocode'), (850, 'VI', 6, 'countryisocode'), (16, 'AS', 7, 'countryisocode'), (784, 'AE', 8, 'countryisocode'), (12, 'DZ', 9, 'countryisocode'), (32, 'AR', 10, 'countryisocode'), (533, 'AW', 11, 'countryisocode'), (8, 'AL', 12, 'countryisocode'), (51, 'AM', 13, 'countryisocode'), (660, 'AI', 14, 'countryisocode'), (24, 'AO', 15, 'countryisocode'), (28, 'AG', 16, 'countryisocode'), (20, 'AD', 17, 'countryisocode'), (887, 'YE', 18, 'countryisocode'), (826, 'GB', 19, 'countryisocode'), (86, 'IO', 20, 'countryisocode'), (92, 'VG', 21, 'countryisocode'), (376, 'IL', 22, 'countryisocode'), (380, 'IT', 23, 'countryisocode'), (368, 'IQ', 24, 'countryisocode'), (364, 'IR', 25, 'countryisocode'), (356, 'IN', 26, 'countryisocode'), (360, 'ID', 27, 'countryisocode'), (876, 'WF', 28, 'countryisocode'), (800, 'UG', 29, 'countryisocode'), (804, 'UA', 30, 'countryisocode'), (860, 'UZ', 31, 'countryisocode'), (858, 'UY', 32, 'countryisocode'), (218, 'EC', 33, 'countryisocode'), (818, 'EG', 34, 'countryisocode'), (233, 'EE', 35, 'countryisocode'), (231, 'ET', 36, 'countryisocode'), (232, 'ER', 37, 'countryisocode'), (222, 'SV', 38, 'countryisocode'), (36, 'AU', 39, 'countryisocode'), (40, 'AT', 40, 'countryisocode'), (248, 'AX', 41, 'countryisocode'), (512, 'OM', 42, 'countryisocode'), (528, 'NL', 43, 'countryisocode'), (288, 'GH', 44, 'countryisocode'), (132, 'CV', 45, 'countryisocode'), (831, 'GG', 46, 'countryisocode'), (328, 'GY', 47, 'countryisocode'), (398, 'KZ', 48, 'countryisocode'), (634, 'QA', 49, 'countryisocode'), (581, 'UM', 50, 'countryisocode'), (124, 'CA', 51, 'countryisocode'), (266, 'GA', 52, 'countryisocode'), (120, 'CM', 53, 'countryisocode'), (270, 'GM', 54, 'countryisocode'), (116, 'KH', 55, 'countryisocode'), (580, 'MP', 56, 'countryisocode'), (324, 'GN', 57, 'countryisocode'), (624, 'GW', 58, 'countryisocode'), (196, 'CY', 59, 'countryisocode'), (192, 'CU', 60, 'countryisocode'), (531, 'CW', 61, 'countryisocode'), (300, 'GR', 62, 'countryisocode'), (296, 'KI', 63, 'countryisocode'), (417, 'KG', 64, 'countryisocode'), (320, 'GT', 65, 'countryisocode'), (312, 'GP', 66, 'countryisocode'), (316, 'GU', 67, 'countryisocode'), (414, 'KW', 68, 'countryisocode'), (184, 'CK', 69, 'countryisocode'), (304, 'GL', 70, 'countryisocode'), (162, 'CX', 71, 'countryisocode'), (268, 'GE', 72, 'countryisocode'), (308, 'GD', 73, 'countryisocode'), (191, 'HR', 74, 'countryisocode'), (136, 'KY', 75, 'countryisocode'), (404, 'KE', 76, 'countryisocode'), (384, 'CI', 77, 'countryisocode'), (166, 'CC', 78, 'countryisocode'), (188, 'CR', 79, 'countryisocode'), (174, 'KM', 80, 'countryisocode'), (170, 'CO', 81, 'countryisocode'), (178, 'CG', 82, 'countryisocode'), (180, 'CD', 83, 'countryisocode'), (682, 'SA', 84, 'countryisocode'), (239, 'GS', 85, 'countryisocode'), (882, 'WS', 86, 'countryisocode'), (678, 'ST', 87, 'countryisocode'), (652, 'BL', 88, 'countryisocode'), (894, 'ZM', 89, 'countryisocode'), (666, 'PM', 90, 'countryisocode'), (674, 'SM', 91, 'countryisocode'), (663, 'MF', 92, 'countryisocode'), (694, 'SL', 93, 'countryisocode'), (262, 'DJ', 94, 'countryisocode'), (292, 'GI', 95, 'countryisocode'), (832, 'JE', 96, 'countryisocode'), (388, 'JM', 97, 'countryisocode'), (760, 'SY', 98, 'countryisocode'), (702, 'SG', 99, 'countryisocode'), (534, 'SX', 100, 'countryisocode'), (716, 'ZW', 101, 'countryisocode'), (756, 'CH', 102, 'countryisocode'), (752, 'SE', 103, 'countryisocode'), (729, 'SD', 104, 'countryisocode'), (744, 'SJ', 105, 'countryisocode'), (724, 'ES', 106, 'countryisocode'), (740, 'SR', 107, 'countryisocode'), (144, 'LK', 108, 'countryisocode'), (703, 'SK', 109, 'countryisocode'), (705, 'SI', 110, 'countryisocode'), (748, 'SZ', 111, 'countryisocode'), (690, 'SC', 112, 'countryisocode'), (226, 'GQ', 113, 'countryisocode'), (686, 'SN', 114, 'countryisocode'), (688, 'RS', 115, 'countryisocode'), (659, 'KN', 116, 'countryisocode'), (670, 'VC', 117, 'countryisocode'), (426, 'LS', 118, 'countryisocode'), (654, 'SH', 119, 'countryisocode'), (662, 'LC', 120, 'countryisocode'), (706, 'SO', 121, 'countryisocode'), (90, 'SB', 122, 'countryisocode'), (796, 'TC', 123, 'countryisocode'), (764, 'TH', 124, 'countryisocode'), (410, 'KR', 125, 'countryisocode'), (158, 'TW', 126, 'countryisocode'), (762, 'TJ', 127, 'countryisocode'), (834, 'TZ', 128, 'countryisocode'), (203, 'CZ', 129, 'countryisocode'), (148, 'TD', 130, 'countryisocode'), (140, 'CF', 131, 'countryisocode'), (156, 'CN', 132, 'countryisocode'), (788, 'TN', 133, 'countryisocode'), (408, 'KP', 134, 'countryisocode'), (152, 'CL', 135, 'countryisocode'), (798, 'TV', 136, 'countryisocode'), (208, 'DK', 137, 'countryisocode'), (276, 'DE', 138, 'countryisocode'), (768, 'TG', 139, 'countryisocode'), (772, 'TK', 140, 'countryisocode'), (214, 'DO', 141, 'countryisocode'), (212, 'DM', 142, 'countryisocode'), (780, 'TT', 143, 'countryisocode'), (795, 'TM', 144, 'countryisocode'), (792, 'TR', 145, 'countryisocode'), (776, 'TO', 146, 'countryisocode'), (566, 'NG', 147, 'countryisocode'), (520, 'NR', 148, 'countryisocode'), (516, 'NA', 149, 'countryisocode'), (10, 'AQ', 150, 'countryisocode'), (570, 'NU', 151, 'countryisocode'), (558, 'NI', 152, 'countryisocode'), (562, 'NE', 153, 'countryisocode'), (392, 'JP', 154, 'countryisocode'), (732, 'EH', 155, 'countryisocode'), (540, 'NC', 156, 'countryisocode'), (554, 'NZ', 157, 'countryisocode'), (524, 'NP', 158, 'countryisocode'), (574, 'NF', 159, 'countryisocode'), (578, 'NO', 160, 'countryisocode'), (334, 'HM', 161, 'countryisocode'), (48, 'BH', 162, 'countryisocode'), (332, 'HT', 163, 'countryisocode'), (586, 'PK', 164, 'countryisocode'), (336, 'VA', 165, 'countryisocode'), (591, 'PA', 166, 'countryisocode'), (548, 'VU', 167, 'countryisocode'), (44, 'BS', 168, 'countryisocode'), (598, 'PG', 169, 'countryisocode'), (60, 'BM', 170, 'countryisocode'), (585, 'PW', 171, 'countryisocode'), (600, 'PY', 172, 'countryisocode'), (52, 'BB', 173, 'countryisocode'), (275, 'PS', 174, 'countryisocode'), (348, 'HU', 175, 'countryisocode'), (50, 'BD', 176, 'countryisocode'), (626, 'TL', 177, 'countryisocode'), (612, 'PN', 178, 'countryisocode'), (242, 'FJ', 179, 'countryisocode'), (608, 'PH', 180, 'countryisocode'), (246, 'FI', 181, 'countryisocode'), (64, 'BT', 182, 'countryisocode'), (74, 'BV', 183, 'countryisocode'), (630, 'PR', 184, 'countryisocode'), (234, 'FO', 185, 'countryisocode'), (238, 'FK', 186, 'countryisocode'), (76, 'BR', 187, 'countryisocode'), (250, 'FR', 188, 'countryisocode'), (254, 'GF', 189, 'countryisocode'), (258, 'PF', 190, 'countryisocode'), (260, 'TF', 191, 'countryisocode'), (100, 'BG', 192, 'countryisocode'), (854, 'BF', 193, 'countryisocode'), (96, 'BN', 194, 'countryisocode'), (108, 'BI', 195, 'countryisocode'), (704, 'VN', 196, 'countryisocode'), (204, 'BJ', 197, 'countryisocode'), (862, 'VE', 198, 'countryisocode'), (112, 'BY', 199, 'countryisocode'), (84, 'BZ', 200, 'countryisocode'), (604, 'PE', 201, 'countryisocode'), (56, 'BE', 202, 'countryisocode'), (616, 'PL', 203, 'countryisocode'), (70, 'BA', 204, 'countryisocode'), (72, 'BW', 205, 'countryisocode'), (535, 'BQ', 206, 'countryisocode'), (68, 'BO', 207, 'countryisocode'), (620, 'PT', 208, 'countryisocode'), (344, 'HK', 209, 'countryisocode'), (340, 'HN', 210, 'countryisocode'), (584, 'MH', 211, 'countryisocode'), (446, 'MO', 212, 'countryisocode'), (807, 'MK', 213, 'countryisocode'), (450, 'MG', 214, 'countryisocode'), (175, 'YT', 215, 'countryisocode'), (454, 'MW', 216, 'countryisocode'), (466, 'ML', 217, 'countryisocode'), (470, 'MT', 218, 'countryisocode'), (474, 'MQ', 219, 'countryisocode'), (458, 'MY', 220, 'countryisocode'), (833, 'IM', 221, 'countryisocode'), (583, 'FM', 222, 'countryisocode'), (710, 'ZA', 223, 'countryisocode'), (728, 'SS', 224, 'countryisocode'), (104, 'MM', 225, 'countryisocode'), (484, 'MX', 226, 'countryisocode'), (480, 'MU', 227, 'countryisocode'), (478, 'MR', 228, 'countryisocode'), (508, 'MZ', 229, 'countryisocode'), (492, 'MC', 230, 'countryisocode'), (462, 'MV', 231, 'countryisocode'), (498, 'MD', 232, 'countryisocode'), (504, 'MA', 233, 'countryisocode'), (496, 'MN', 234, 'countryisocode'), (499, 'ME', 235, 'countryisocode'), (500, 'MS', 236, 'countryisocode'), (400, 'JO', 237, 'countryisocode'), (418, 'LA', 238, 'countryisocode'), (428, 'LV', 239, 'countryisocode'), (440, 'LT', 240, 'countryisocode'), (434, 'LY', 241, 'countryisocode'), (438, 'LI', 242, 'countryisocode'), (430, 'LR', 243, 'countryisocode'), (642, 'RO', 244, 'countryisocode'), (442, 'LU', 245, 'countryisocode'), (646, 'RW', 246, 'countryisocode'), (422, 'LB', 247, 'countryisocode'), (638, 'RE', 248, 'countryisocode'), (643, 'RU', 249, 'countryisocode')");
+    }
+
+    public function down(Schema $schema): void
+    {
+        // 新規インストールでは up() が no-op (import_csv 投入済み) のため、
+        // 一律 DELETE すると import_csv 由来の初期データまで巻き添えで消える。
+        // マスタ初期データは不可逆として扱い、ロールバックでは何もしない。
+        $this->throwIrreversibleMigrationException(self::NAME.' はマスタ初期データのため down は非対応です.');
+    }
+}
diff --git a/app/DoctrineMigrations/Version20260611120000.php b/app/DoctrineMigrations/Version20260611120000.php
new file mode 100644
index 00000000000..5f1d4269b0a
--- /dev/null
+++ b/app/DoctrineMigrations/Version20260611120000.php
@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * エージェントコマースの区分値マスタ (mtb_checkout_session_status / mtb_agent_protocol) の初期データを投入する.
+ *
+ * テーブル自体は doctrine:schema:update でエンティティから生成される。
+ * 新規インストールは import_csv (definition.yml) で投入されるため、
+ * 本マイグレーションは既存インストールのアップグレード時の backfill を担う
+ * (空テーブルのときのみ INSERT する冪等実装)。
+ */
+final class Version20260611120000 extends AbstractMigration
+{
+    /**
+     * @var array<string, string>
+     */
+    private const INSERTS = [
+        'mtb_checkout_session_status' => "INSERT INTO mtb_checkout_session_status (id, name, sort_no, discriminator_type) VALUES (1, 'incomplete', 1, 'checkoutsessionstatus'), (2, 'ready', 2, 'checkoutsessionstatus'), (3, 'completed', 3, 'checkoutsessionstatus'), (4, 'canceled', 4, 'checkoutsessionstatus'), (5, 'expired', 5, 'checkoutsessionstatus')",
+        'mtb_agent_protocol' => "INSERT INTO mtb_agent_protocol (id, name, sort_no, discriminator_type) VALUES (1, 'acp', 1, 'agentprotocol'), (2, 'ucp', 2, 'agentprotocol')",
+    ];
+
+    public function up(Schema $schema): void
+    {
+        foreach (self::INSERTS as $table => $sql) {
+            if (!$schema->hasTable($table)) {
+                continue;
+            }
+
+            // 既にデータがある場合 (新規インストールの fixtures 投入済み等) は二重投入しない.
+            $count = $this->connection->fetchOne('SELECT COUNT(*) FROM '.$table);
+            if ($count > 0) {
+                continue;
+            }
+
+            $this->addSql($sql);
+        }
+    }
+
+    public function down(Schema $schema): void
+    {
+        // 新規インストールでは up() が no-op (import_csv 投入済み) のため、
+        // 一律 DELETE すると import_csv 由来の初期データまで巻き添えで消える。
+        // マスタ初期データは不可逆として扱い、ロールバックでは何もしない。
+        $this->throwIrreversibleMigrationException('エージェントコマースの区分値マスタはマスタ初期データのため down は非対応です.');
+    }
+}
diff --git a/app/DoctrineMigrations/Version20260617120000.php b/app/DoctrineMigrations/Version20260617120000.php
new file mode 100644
index 00000000000..892ae66f294
--- /dev/null
+++ b/app/DoctrineMigrations/Version20260617120000.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * mtb_checkout_session_status へ正規化ステータス requires_action (6) / in_progress (7) を追加する.
+ *
+ * complete を「中断→再開」状態機械として再設計したことに伴い、追加認証 (3DS) / escalation 待ちの
+ * `requires_action` と非同期決済確定待ちの `in_progress` を中間状態として導入する (#6777)。
+ *
+ * 新規インストールは import_csv (definition.yml) で 7 行とも投入されるため、本マイグレーションは
+ * 既存インストール (1〜5 のみ投入済) のアップグレード時 backfill を担う。行単位で存在を確認し
+ * 二重投入しない冪等実装とする。
+ */
+final class Version20260617120000 extends AbstractMigration
+{
+    /**
+     * @var array<int, array{int, string}>
+     */
+    private const ROWS = [
+        [6, 'requires_action'],
+        [7, 'in_progress'],
+    ];
+
+    public function up(Schema $schema): void
+    {
+        if (!$schema->hasTable('mtb_checkout_session_status')) {
+            return;
+        }
+
+        foreach (self::ROWS as [$id, $name]) {
+            $exists = $this->connection->fetchOne(
+                'SELECT COUNT(*) FROM mtb_checkout_session_status WHERE id = :id',
+                ['id' => $id]
+            );
+            if ($exists > 0) {
+                continue;
+            }
+
+            $this->addSql(
+                'INSERT INTO mtb_checkout_session_status (id, name, sort_no, discriminator_type) VALUES (:id, :name, :sort_no, :discriminator_type)',
+                ['id' => $id, 'name' => $name, 'sort_no' => $id, 'discriminator_type' => 'checkoutsessionstatus']
+            );
+        }
+    }
+
+    public function down(Schema $schema): void
+    {
+        // マスタ初期データは不可逆として扱い、ロールバックでは何もしない
+        // (一律 DELETE すると import_csv 由来の初期データまで巻き添えになるため)。
+        $this->throwIrreversibleMigrationException('エージェントコマースの区分値マスタはマスタ初期データのため down は非対応です.');
+    }
+}
diff --git a/app/config/eccube/packages/eccube.yaml b/app/config/eccube/packages/eccube.yaml
index 0b4a38f45d5..956bd3d4595 100644
--- a/app/config/eccube/packages/eccube.yaml
+++ b/app/config/eccube/packages/eccube.yaml
@@ -83,6 +83,11 @@ parameters:
     eccube_default_page_count: 50
     eccube_admin_product_stock_status: 3
     eccube_customer_reset_expire: 10
+    # エージェントチェックアウトの追加対応 (3DS/escalation) / 非同期決済の待機中に在庫を確保する期限 (分).
+    # この間 prepare で引き当てた在庫は他購入者に対し確保されたまま保持される。超過すると
+    # 期限切れ回収 (CheckoutSessionRepository::findExpired) で rollback され在庫が戻る。
+    # EMV-3DS のタイムアウト (10 分) より大きい値とすること。
+    eccube_agent_checkout_escalation_expire: 15
     # CSVの区切り文字(タブ区切りにしたい場合は'\t'ではなく'    'で設定する
     eccube_csv_export_separator: ,
     # 出力エンコーディング
diff --git a/app/config/eccube/services.yaml b/app/config/eccube/services.yaml
index ebdebaa9853..c4a96c76196 100644
--- a/app/config/eccube/services.yaml
+++ b/app/config/eccube/services.yaml
@@ -237,3 +237,56 @@ services:
     eccube.asset.user_data_version_strategy:
         alias: Eccube\Asset\FilemtimeVersionStrategy
         public: true
+
+    # Agent Commerce (ACP / UCP) 共通基盤
+    Eccube\Service\AgentCommerce\Security\FilesystemKeyStore:
+        arguments:
+            $projectDir: '%kernel.project_dir%'
+            $envPathOverrides:
+                ucp_signing: '%env(default::string:ECCUBE_AGENT_COMMERCE_UCP_SIGNING_KEY)%'
+
+    Eccube\Service\AgentCommerce\Security\KeyStoreInterface:
+        alias: Eccube\Service\AgentCommerce\Security\FilesystemKeyStore
+
+    Eccube\Service\AgentCommerce\Security\AgentCommerceMessageSignerInterface:
+        alias: Eccube\Service\AgentCommerce\Security\UcpMessageSigner
+
+    # Agent Commerce CheckoutSession 中核 (#6777 Phase 1b)
+    Eccube\Service\AgentCommerce\Fulfillment\FulfillmentOptionMapperInterface:
+        alias: Eccube\Service\AgentCommerce\Fulfillment\StandardFulfillmentOptionMapper
+
+    # 標準はゲスト購入 (会員解決なし)。会員 ID 連携は eccube-api4#189 landing 後に差し替える。
+    Eccube\Service\AgentCommerce\CheckoutSession\CustomerResolverInterface:
+        alias: Eccube\Service\AgentCommerce\CheckoutSession\GuestCustomerResolver
+
+    # OAuth2 トークン検証。リソースサーバー (eccube-api4#188) 未導入時は handler が null となり 503 を返す。
+    Eccube\Service\AgentCommerce\Security\AgentCommerceOAuth2Authenticator:
+        arguments:
+            $accessTokenHandler: '@?Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface'
+
+    # Agent Commerce 決済ハンドラ (#6574 UCP / #6776 ACP)
+    # 具象ハンドラは決済プラグインが agent_commerce.payment_handler タグで寄与する。
+    _instanceof:
+        Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerInterface:
+            tags: ['agent_commerce.payment_handler']
+
+    # 決済ハンドラレジストリ。具象ハンドラ (決済プラグイン) は agent_commerce.payment_handler タグで寄与する。
+    Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerRegistry:
+        arguments:
+            $handlers: !tagged_iterator agent_commerce.payment_handler
+
+    # complete 状態機械オーケストレータ。在庫確保期限は eccube.yaml の設定値を注入。
+    Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutCompletionService:
+        arguments:
+            $escalationExpireMinutes: '%eccube_agent_checkout_escalation_expire%'
+
+    # 冪等性記録は DB 一意制約 (dtb_agent_checkout_idempotency) で管理する (EM/Repository は autowire)。
+
+    # UCP インバウンド署名検証 (RFC 9421・api4 非依存)。許可ドメイン/必須化は運用で設定する。
+    Eccube\Service\AgentCommerce\Ucp\Signature\UcpRequestSignatureVerifier:
+        arguments:
+            $allowedDomains: []
+
+    Eccube\Service\AgentCommerce\Ucp\Signature\UcpSignatureSubscriber:
+        arguments:
+            $requireSignature: false
diff --git a/app/config/eccube/services_test.yaml b/app/config/eccube/services_test.yaml
index ea2133e30e6..33333dbd5fb 100644
--- a/app/config/eccube/services_test.yaml
+++ b/app/config/eccube/services_test.yaml
@@ -77,3 +77,53 @@ services:
     Eccube\Service\Composer\ComposerApiService:
         autowire: true
         public: true
+    # AddressMappingService はまだ consumer が無く private では除去されるためテスト時のみ public 化
+    Eccube\Service\AgentCommerce\AddressMappingService:
+        autowire: true
+        public: true
+    # CheckoutSession 中核 (#6777 Phase 1b) も consumer (checkout controller) が #6776/#6574 まで
+    # 無いため、テスト時のみ public 化してコンテナから取得する。
+    Eccube\Service\AgentCommerce\AgentCheckoutPurchaseFlowAdapter:
+        autowire: true
+        public: true
+        # 明示定義により _defaults の $shoppingPurchaseFlow bind が外れるため、ここで再束縛する。
+        arguments:
+            $shoppingPurchaseFlow: '@eccube.purchase.flow.shopping'
+    Eccube\Service\AgentCommerce\Fulfillment\StandardFulfillmentOptionMapper:
+        autowire: true
+        public: true
+    Eccube\Service\AgentCommerce\CheckoutSession\GuestCustomerResolver:
+        autowire: true
+        public: true
+    # UCP checkout (#6574) サービス群。テストからコンテナ取得するため public 化する。
+    Eccube\Service\AgentCommerce\Ucp\UcpCheckoutSessionMapper:
+        autowire: true
+        public: true
+    Eccube\Service\AgentCommerce\Ucp\UcpMessageMapper:
+        autowire: true
+        public: true
+    Eccube\Service\AgentCommerce\Ucp\UcpStatusMapper:
+        autowire: true
+        public: true
+    Eccube\Service\AgentCommerce\Ucp\Signature\Rfc9421SignatureBaseBuilder:
+        autowire: true
+        public: true
+    Eccube\Service\AgentCommerce\Ucp\Signature\UcpProfileFetcher:
+        autowire: true
+        public: true
+    Eccube\Service\AgentCommerce\Ucp\Signature\UcpRequestSignatureVerifier:
+        autowire: true
+        public: true
+        arguments:
+            $allowedDomains: []
+    Eccube\Service\AgentCommerce\Idempotency\AgentCheckoutIdempotencyStore:
+        autowire: true
+        public: true
+    Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerRegistry:
+        autowire: true
+        public: true
+        arguments:
+            $handlers: !tagged_iterator agent_commerce.payment_handler
+    Eccube\Service\AgentCommerce\StorefrontUrlResolver:
+        autowire: true
+        public: true
diff --git a/app/keystore/.gitkeep b/app/keystore/.gitkeep
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/app/keystore/.htaccess b/app/keystore/.htaccess
new file mode 100644
index 00000000000..baa56e5a369
--- /dev/null
+++ b/app/keystore/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
\ No newline at end of file
diff --git a/composer.json b/composer.json
index fc737569d9d..f2f875e3b99 100644
--- a/composer.json
+++ b/composer.json
@@ -71,6 +71,7 @@
         "symfony/flex": "^2.7",
         "symfony/form": "^7.4",
         "symfony/framework-bundle": "^7.4",
+        "symfony/http-client": "^7.4",
         "symfony/http-foundation": "^7.4",
         "symfony/http-kernel": "^7.4",
         "symfony/intl": "^7.4",
diff --git a/composer.lock b/composer.lock
index ac85cf5fffc..688514724ca 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "98f03b30b0f09f78545a7ae3f43316e9",
+    "content-hash": "e1647bfa3f3b5c8f5aa869fdcc3a6561",
     "packages": [
         {
             "name": "carbonphp/carbon-doctrine-types",
@@ -7539,6 +7539,189 @@
             ],
             "time": "2026-03-30T12:55:43+00:00"
         },
+        {
+            "name": "symfony/http-client",
+            "version": "v7.4.13",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/http-client.git",
+                "reference": "e8a112b8415707265a7e614278136a9d92989a6a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/http-client/zipball/e8a112b8415707265a7e614278136a9d92989a6a",
+                "reference": "e8a112b8415707265a7e614278136a9d92989a6a",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.2",
+                "psr/log": "^1|^2|^3",
+                "symfony/deprecation-contracts": "^2.5|^3",
+                "symfony/http-client-contracts": "~3.4.4|^3.5.2",
+                "symfony/polyfill-php83": "^1.29",
+                "symfony/service-contracts": "^2.5|^3"
+            },
+            "conflict": {
+                "amphp/amp": "<2.5",
+                "amphp/socket": "<1.1",
+                "php-http/discovery": "<1.15",
+                "symfony/http-foundation": "<6.4"
+            },
+            "provide": {
+                "php-http/async-client-implementation": "*",
+                "php-http/client-implementation": "*",
+                "psr/http-client-implementation": "1.0",
+                "symfony/http-client-implementation": "3.0"
+            },
+            "require-dev": {
+                "amphp/http-client": "^4.2.1|^5.0",
+                "amphp/http-tunnel": "^1.0|^2.0",
+                "guzzlehttp/promises": "^1.4|^2.0",
+                "nyholm/psr7": "^1.0",
+                "php-http/httplug": "^1.0|^2.0",
+                "psr/http-client": "^1.0",
+                "symfony/amphp-http-client-meta": "^1.0|^2.0",
+                "symfony/cache": "^6.4|^7.0|^8.0",
+                "symfony/dependency-injection": "^6.4|^7.0|^8.0",
+                "symfony/http-kernel": "^6.4|^7.0|^8.0",
+                "symfony/messenger": "^6.4|^7.0|^8.0",
+                "symfony/process": "^6.4|^7.0|^8.0",
+                "symfony/rate-limiter": "^6.4|^7.0|^8.0",
+                "symfony/stopwatch": "^6.4|^7.0|^8.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Component\\HttpClient\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Tests/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Provides powerful methods to fetch HTTP resources synchronously or asynchronously",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "http"
+            ],
+            "support": {
+                "source": "https://github.com/symfony/http-client/tree/v7.4.13"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-05-24T09:57:54+00:00"
+        },
+        {
+            "name": "symfony/http-client-contracts",
+            "version": "v3.7.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/http-client-contracts.git",
+                "reference": "4a2d00c37651c0bdc2b9e1c773487a8bf4edb12d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/http-client-contracts/zipball/4a2d00c37651c0bdc2b9e1c773487a8bf4edb12d",
+                "reference": "4a2d00c37651c0bdc2b9e1c773487a8bf4edb12d",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=8.1"
+            },
+            "type": "library",
+            "extra": {
+                "thanks": {
+                    "url": "https://github.com/symfony/contracts",
+                    "name": "symfony/contracts"
+                },
+                "branch-alias": {
+                    "dev-main": "3.7-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Symfony\\Contracts\\HttpClient\\": ""
+                },
+                "exclude-from-classmap": [
+                    "/Test/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Nicolas Grekas",
+                    "email": "p@tchwork.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "https://symfony.com/contributors"
+                }
+            ],
+            "description": "Generic abstractions related to HTTP clients",
+            "homepage": "https://symfony.com",
+            "keywords": [
+                "abstractions",
+                "contracts",
+                "decoupling",
+                "interfaces",
+                "interoperability",
+                "standards"
+            ],
+            "support": {
+                "source": "https://github.com/symfony/http-client-contracts/tree/v3.7.0"
+            },
+            "funding": [
+                {
+                    "url": "https://symfony.com/sponsor",
+                    "type": "custom"
+                },
+                {
+                    "url": "https://github.com/fabpot",
+                    "type": "github"
+                },
+                {
+                    "url": "https://github.com/nicolas-grekas",
+                    "type": "github"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
+                    "type": "tidelift"
+                }
+            ],
+            "time": "2026-03-06T13:17:50+00:00"
+        },
         {
             "name": "symfony/http-foundation",
             "version": "v7.4.13",
diff --git a/src/Eccube/Controller/AgentCommerce/UcpCheckoutController.php b/src/Eccube/Controller/AgentCommerce/UcpCheckoutController.php
new file mode 100644
index 00000000000..e5083c32ab2
--- /dev/null
+++ b/src/Eccube/Controller/AgentCommerce/UcpCheckoutController.php
@@ -0,0 +1,439 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Controller\AgentCommerce;
+
+use Eccube\Controller\AbstractController;
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Entity\Order;
+use Eccube\Repository\BaseInfoRepository;
+use Eccube\Repository\CheckoutSessionRepository;
+use Eccube\Repository\Master\AgentProtocolRepository;
+use Eccube\Repository\Master\CheckoutSessionStatusRepository;
+use Eccube\Service\AgentCommerce\AgentCheckoutPurchaseFlowAdapter;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutAddress;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutCompletionResult;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutCompletionService;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutLineItem;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutRequest;
+use Eccube\Service\AgentCommerce\CheckoutSession\CustomerResolverInterface;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutErrorCode;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutException;
+use Eccube\Service\AgentCommerce\Exception\IdempotencyConflictException;
+use Eccube\Service\AgentCommerce\Idempotency\AgentCheckoutIdempotencyStore;
+use Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerRegistry;
+use Eccube\Service\AgentCommerce\Ucp\UcpCheckoutSessionMapper;
+use Eccube\Service\AgentCommerce\Ucp\UcpMessageMapper;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+
+/**
+ * UCP (Universal Commerce Protocol) checkout の REST エンドポイント.
+ *
+ * v2026-04-08 の checkout capability を 5 エンドポイントで提供する:
+ * - POST   /ucp/checkout-sessions            (create)        -> 201
+ * - GET    /ucp/checkout-sessions/{id}       (get)           -> 200
+ * - PUT    /ucp/checkout-sessions/{id}       (update)        -> 200 (全置換)
+ * - POST   /ucp/checkout-sessions/{id}/complete             -> 200 (order)
+ * - POST   /ucp/checkout-sessions/{id}/cancel               -> 200 (canceled)
+ *
+ * 設計:
+ * - セッションレスなエージェント向けに {@link CheckoutSession} で Cart/Order を束ねる。
+ * - 見積/確定は通常購入と同一の shopping flow を {@link AgentCheckoutPurchaseFlowAdapter} 経由で再利用。
+ * - **2 系統エラー**: プロトコル系は HTTP 4xx/5xx + Error、ビジネス系は HTTP 200 + messages[]。
+ * - インバウンド認証は RFC 9421 署名 (UcpSignatureSubscriber が適用、api4 非依存)。
+ * - `ucp_checkout_enabled` が false のときは NotFoundHttpException (ルートは削除しない既存パターン)。
+ *
+ * @see https://github.com/EC-CUBE/ec-cube/issues/6574
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP checkout-rest.md
+ */
+class UcpCheckoutController extends AbstractController
+{
+    public function __construct(
+        private readonly BaseInfoRepository $baseInfoRepository,
+        private readonly CheckoutSessionRepository $checkoutSessionRepository,
+        private readonly AgentProtocolRepository $agentProtocolRepository,
+        private readonly CheckoutSessionStatusRepository $statusRepository,
+        private readonly AgentCheckoutPurchaseFlowAdapter $purchaseFlowAdapter,
+        private readonly UcpCheckoutSessionMapper $mapper,
+        private readonly UcpMessageMapper $messageMapper,
+        private readonly AgentCheckoutIdempotencyStore $idempotencyStore,
+        private readonly AgentCheckoutPaymentHandlerRegistry $paymentHandlerRegistry,
+        private readonly CustomerResolverInterface $customerResolver,
+        private readonly AgentCheckoutCompletionService $completionService,
+    ) {
+    }
+
+    #[Route(path: '/ucp/checkout-sessions', name: 'ucp_checkout_create', methods: ['POST'])]
+    public function create(Request $request): JsonResponse
+    {
+        $this->assertEnabled();
+
+        return $this->withIdempotency($request, function () use ($request): array {
+            try {
+                $payload = $this->decodeBody($request);
+                $checkoutRequest = $this->mapper->toCheckoutRequest($payload, $this->resolveAgentId($request));
+
+                $session = (new CheckoutSession())
+                    ->setSessionId($this->generateSessionId())
+                    ->setProtocol($this->agentProtocolRepository->find(AgentProtocol::UCP))
+                    ->setStatus($this->findStatus(CheckoutSessionStatus::INCOMPLETE))
+                    ->setCurrencyCode($checkoutRequest->currencyCode)
+                    ->setMetadata(['line_items' => $this->lineItemsMetadata($checkoutRequest)]);
+
+                return ['status' => 201, 'body' => $this->buildAndPersist($session, $checkoutRequest)];
+            } catch (AgentCheckoutException $e) {
+                return $this->protocolError(422, $e->getErrorCode()->value, $e->getMessage());
+            }
+        });
+    }
+
+    #[Route(path: '/ucp/checkout-sessions/{sessionId}', name: 'ucp_checkout_get', methods: ['GET'])]
+    public function get(string $sessionId): JsonResponse
+    {
+        $this->assertEnabled();
+        $session = $this->findSession($sessionId);
+
+        $order = $session->getOrder();
+        if ($order !== null) {
+            return new JsonResponse($this->mapper->buildResponseFromOrder($session, $order, []), Response::HTTP_OK);
+        }
+
+        return new JsonResponse($this->mapper->buildProvisionalResponse($session, $this->provisionalRequestFromSession($session), []), Response::HTTP_OK);
+    }
+
+    #[Route(path: '/ucp/checkout-sessions/{sessionId}', name: 'ucp_checkout_update', methods: ['PUT'])]
+    public function update(Request $request, string $sessionId): JsonResponse
+    {
+        $this->assertEnabled();
+        $session = $this->findSession($sessionId);
+
+        return $this->withIdempotency($request, function () use ($request, $session): array {
+            try {
+                $payload = $this->decodeBody($request);
+                $checkoutRequest = $this->mapper->toCheckoutRequest($payload, $this->resolveAgentId($request));
+
+                // 全置換セマンティクス: 明細スナップショットを差し替える。
+                $session->setMetadata(array_merge($session->getMetadata() ?? [], ['line_items' => $this->lineItemsMetadata($checkoutRequest)]));
+
+                return ['status' => 200, 'body' => $this->buildAndPersist($session, $checkoutRequest)];
+            } catch (AgentCheckoutException $e) {
+                return $this->protocolError(422, $e->getErrorCode()->value, $e->getMessage());
+            }
+        });
+    }
+
+    #[Route(path: '/ucp/checkout-sessions/{sessionId}/complete', name: 'ucp_checkout_complete', methods: ['POST'])]
+    public function complete(Request $request, string $sessionId): JsonResponse
+    {
+        $this->assertEnabled();
+        $session = $this->findSession($sessionId);
+
+        return $this->withIdempotency($request, function () use ($request, $session): array {
+            $order = $session->getOrder();
+            if ($order === null) {
+                // Order が未構築のセッションは確定不能 (プロトコル系エラー 4xx)。
+                return $this->protocolError(422, 'invalid_session_state', 'The checkout session is not ready for completion.');
+            }
+
+            try {
+                $payload = $this->decodeBody($request);
+                // UCP は payment.instruments[].handler_id で決済ハンドラを解決し、クレデンシャルを
+                // ゲートウェイトークンへ交換する。交換後の中立データを状態機械へ渡す。
+                $paymentData = $this->resolvePaymentData($payload);
+                // complete は「中断→再開」状態機械 (#6777)。追加認証 (3DS/escalation) は
+                // エラーでなく requires_action 等の中間状態として返る。在庫引当の保持/回収・
+                // トランザクション境界・与信→売上→確定の順序は CompletionService が担う。
+                $result = $this->completionService->complete($session, $paymentData);
+            } catch (AgentCheckoutException $e) {
+                return $this->protocolError(422, $e->getErrorCode()->value, $e->getMessage());
+            }
+
+            $ucpMessages = $this->messageMapper->toUcpMessages($result->messages);
+            $continueUrl = $this->continueUrlFor($session, $result);
+
+            return ['status' => 200, 'body' => $this->mapper->buildResponseFromOrder($session, $order, $ucpMessages, $continueUrl)];
+        });
+    }
+
+    #[Route(path: '/ucp/checkout-sessions/{sessionId}/cancel', name: 'ucp_checkout_cancel', methods: ['POST'])]
+    public function cancel(Request $request, string $sessionId): JsonResponse
+    {
+        $this->assertEnabled();
+        $session = $this->findSession($sessionId);
+
+        return $this->withIdempotency($request, function () use ($session): array {
+            if ($session->getStatus()?->getId() === CheckoutSessionStatus::COMPLETED) {
+                return $this->protocolError(422, 'invalid_session_state', 'A completed checkout session cannot be canceled.');
+            }
+
+            $session->setStatus($this->findStatus(CheckoutSessionStatus::CANCELED));
+            $this->entityManager->flush();
+
+            $order = $session->getOrder();
+            $body = $order !== null
+                ? $this->mapper->buildResponseFromOrder($session, $order, [])
+                : $this->mapper->buildProvisionalResponse($session, $this->provisionalRequestFromSession($session), []);
+
+            return ['status' => 200, 'body' => $body];
+        });
+    }
+
+    /**
+     * 中立リクエストからセッションを確定 (見積) し、レスポンスボディを返す.
+     *
+     * 住所未確定なら暫定見積 + incomplete、住所ありなら shopping flow で再計算し ready/incomplete。
+     *
+     * @return array<string, mixed>
+     */
+    private function buildAndPersist(CheckoutSession $session, AgentCheckoutRequest $checkoutRequest): array
+    {
+        if ($checkoutRequest->buyer === null) {
+            $session->setStatus($this->findStatus(CheckoutSessionStatus::INCOMPLETE));
+            $this->entityManager->persist($session);
+            $this->entityManager->flush();
+
+            $messages = [[
+                'type' => 'error',
+                'severity' => 'recoverable',
+                'content' => 'Shipping address is required to calculate shipping and complete checkout.',
+                'content_type' => 'plain',
+            ]];
+
+            return $this->mapper->buildProvisionalResponse($session, $checkoutRequest, $messages);
+        }
+
+        $result = $this->purchaseFlowAdapter->buildOrder($checkoutRequest, $this->customerResolver->resolve($session));
+        $order = $result->order;
+
+        $session
+            ->setOrder($order)
+            ->setBuyerData($this->buyerData($checkoutRequest->buyer))
+            ->setStatus($this->findStatus($result->hasError() ? CheckoutSessionStatus::INCOMPLETE : CheckoutSessionStatus::READY));
+        $this->entityManager->persist($session);
+        $this->entityManager->flush();
+
+        return $this->mapper->buildResponseFromOrder($session, $order, $this->messageMapper->toUcpMessages($result->messages));
+    }
+
+    /**
+     * payment.instruments[].handler_id で UCP 決済ハンドラを解決し、クレデンシャルをゲートウェイ
+     * トークンへ交換した中立データを返す.
+     *
+     * 与信/売上 (authorize/capture) は状態機械 (CompletionService) が実行するため、ここでは交換のみ行う。
+     * ハンドラ未登録 (代引・無償等) の場合は空配列を返し、状態機械が与信不要として確定する。
+     *
+     * @param array<string, mixed> $payload
+     *
+     * @return array<string, mixed>
+     */
+    private function resolvePaymentData(array $payload): array
+    {
+        $instrument = $payload['payment']['instruments'][0] ?? null;
+        if (!is_array($instrument)) {
+            return [];
+        }
+
+        $handlerId = is_string($instrument['handler_id'] ?? null) ? $instrument['handler_id'] : null;
+        if ($handlerId === null) {
+            return [];
+        }
+
+        $handler = $this->paymentHandlerRegistry->resolveUcpByHandlerId($handlerId);
+        if ($handler === null) {
+            return [];
+        }
+
+        $credential = is_array($instrument['credential'] ?? null) ? $instrument['credential'] : [];
+
+        return $handler->exchangePaymentToken($credential);
+    }
+
+    /**
+     * requires_action (escalation) のとき buyer ハンドオフ用の continue_url を解決する.
+     *
+     * UCP では `requires_escalation` 時に continue_url が MUST。決済ハンドラが actionData で
+     * 提供すればそれを優先し、無ければセッション取得 URL を絶対 HTTPS で生成する
+     * (`continue_url` は絶対 HTTPS URL でなければならない)。それ以外の状態では null。
+     */
+    private function continueUrlFor(CheckoutSession $session, AgentCheckoutCompletionResult $result): ?string
+    {
+        if ($session->getStatus()?->getId() !== CheckoutSessionStatus::REQUIRES_ACTION) {
+            return null;
+        }
+
+        $fromHandler = $result->actionData['continue_url'] ?? null;
+        if (is_string($fromHandler) && str_starts_with($fromHandler, 'https://')) {
+            return $fromHandler;
+        }
+
+        $url = $this->generateUrl('ucp_checkout_get', ['sessionId' => $session->getSessionId()], UrlGeneratorInterface::ABSOLUTE_URL);
+
+        // continue_url は絶対 HTTPS URL でなければならない (RequestContext が http のときも https に強制)。
+        return str_starts_with($url, 'http://') ? substr_replace($url, 'https://', 0, 7) : $url;
+    }
+
+    /**
+     * Idempotency-Key を考慮してハンドラを実行し JsonResponse を返す.
+     *
+     * @param callable(): array{status: int, body: array<string, mixed>} $handler
+     */
+    private function withIdempotency(Request $request, callable $handler): JsonResponse
+    {
+        $key = $request->headers->get('Idempotency-Key');
+        // 認証済みエージェント (UcpSignatureSubscriber が検証時に設定) を主体として名前空間化し、
+        // 別エージェントによる越境リプレイを防ぐ。
+        $subject = $request->attributes->get('ucp_agent_profile');
+        $subject = is_string($subject) ? $subject : null;
+        $requestHash = $this->idempotencyStore->hashRequest([
+            'path' => $request->getPathInfo(),
+            'method' => $request->getMethod(),
+            'body' => $request->getContent(),
+            'agent' => $subject,
+        ]);
+
+        try {
+            $result = $this->idempotencyStore->execute($key, $requestHash, $handler, $subject);
+        } catch (IdempotencyConflictException $e) {
+            return new JsonResponse(['code' => 'idempotency_conflict', 'content' => $e->getMessage()], Response::HTTP_CONFLICT);
+        }
+
+        return new JsonResponse($result['body'], $result['status']);
+    }
+
+    /**
+     * @return array{status: int, body: array<string, mixed>}
+     */
+    private function protocolError(int $status, string $code, string $content): array
+    {
+        return ['status' => $status, 'body' => ['code' => $code, 'content' => $content]];
+    }
+
+    private function assertEnabled(): void
+    {
+        if (!$this->baseInfoRepository->get()->isUcpCheckoutEnabled()) {
+            throw new NotFoundHttpException('UCP checkout is not enabled.');
+        }
+    }
+
+    private function findSession(string $sessionId): CheckoutSession
+    {
+        $session = $this->checkoutSessionRepository->findOneBySessionId($sessionId);
+        if ($session === null || $session->getProtocol()?->getId() !== AgentProtocol::UCP) {
+            // 他プロトコル/他マーチャントのセッションへの越境アクセスを遮断する。
+            throw new NotFoundHttpException(sprintf('Checkout session "%s" was not found.', $sessionId));
+        }
+
+        return $session;
+    }
+
+    private function findStatus(int $id): CheckoutSessionStatus
+    {
+        /** @var CheckoutSessionStatus $status */
+        $status = $this->statusRepository->find($id);
+
+        return $status;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function decodeBody(Request $request): array
+    {
+        $content = $request->getContent();
+        if ($content === '') {
+            return [];
+        }
+
+        try {
+            $decoded = json_decode($content, true, 512, JSON_THROW_ON_ERROR);
+        } catch (\JsonException $e) {
+            throw new AgentCheckoutException(AgentCheckoutErrorCode::EMPTY_LINE_ITEMS, 'Malformed JSON request body.', $e);
+        }
+
+        if (!is_array($decoded)) {
+            return [];
+        }
+
+        // JSON オブジェクトのキーを文字列に正規化する (トップレベルが配列のとき int キーになり得る)。
+        $normalized = [];
+        foreach ($decoded as $key => $value) {
+            $normalized[(string) $key] = $value;
+        }
+
+        return $normalized;
+    }
+
+    private function generateSessionId(): string
+    {
+        return 'ucp_cs_'.bin2hex(random_bytes(16));
+    }
+
+    private function resolveAgentId(Request $request): ?string
+    {
+        // 署名検証済みのエージェント profile URL があれば agent_id として用いる。
+        $verified = $request->attributes->get('ucp_agent_profile');
+
+        return is_string($verified) ? $verified : $request->headers->get('UCP-Agent');
+    }
+
+    /**
+     * @return list<array{pc: int, qty: int}>
+     */
+    private function lineItemsMetadata(AgentCheckoutRequest $checkoutRequest): array
+    {
+        return array_map(
+            static fn (AgentCheckoutLineItem $item): array => ['pc' => $item->productClassId, 'qty' => $item->quantity],
+            $checkoutRequest->lineItems
+        );
+    }
+
+    /**
+     * GET/cancel で Order 未生成のセッションを暫定表示するため、metadata から明細を復元する.
+     */
+    private function provisionalRequestFromSession(CheckoutSession $session): AgentCheckoutRequest
+    {
+        $lineItems = [];
+        $stored = $session->getMetadata()['line_items'] ?? [];
+        if (is_array($stored)) {
+            foreach ($stored as $entry) {
+                if (is_array($entry) && isset($entry['pc'], $entry['qty'])) {
+                    $lineItems[] = new AgentCheckoutLineItem((int) $entry['pc'], (int) $entry['qty']);
+                }
+            }
+        }
+
+        return new AgentCheckoutRequest($lineItems, null, $session->getCurrencyCode(), AgentProtocol::UCP);
+    }
+
+    /**
+     * 中立住所 DTO を buyer_data (echo 用) へ写す.
+     *
+     * @return array<string, mixed>
+     */
+    private function buyerData(AgentCheckoutAddress $address): array
+    {
+        return array_filter([
+            'family_name' => $address->name01,
+            'given_name' => $address->name02,
+            'email' => $address->email,
+            'phone' => $address->phoneNumber,
+        ], static fn ($value): bool => $value !== null);
+    }
+}
diff --git a/src/Eccube/Entity/AgentCheckoutIdempotency.php b/src/Eccube/Entity/AgentCheckoutIdempotency.php
new file mode 100644
index 00000000000..93941552972
--- /dev/null
+++ b/src/Eccube/Entity/AgentCheckoutIdempotency.php
@@ -0,0 +1,190 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Entity;
+
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Eccube\Repository\AgentCheckoutIdempotencyRepository;
+
+if (!class_exists(AgentCheckoutIdempotency::class)) {
+    /**
+     * エージェントチェックアウトの冪等性記録 (Idempotency-Key).
+     *
+     * 状態変更操作 (complete 等) の `Idempotency-Key` を **DB の一意制約**で記録し、再送時は
+     * 副作用を再実行せず保存済みレスポンスをリプレイする。`(idempotency_key, subject)` の一意制約により、
+     * **マルチインスタンス (AWS 等) でも単一の共有 DB だけで**並行・越境の二重実行を防ぐ
+     * (ノードローカルな分散ロックや共有キャッシュに依存しない)。
+     *
+     * - `subject` は認証済みエージェント識別子 (UCP-Agent profile 等)。主体ごとに名前空間化し、
+     *   別エージェントによる越境リプレイを防ぐ。未認証は空文字で扱う (一意制約で NULL を区別しないため)。
+     * - `response_status` が NULL の行は「処理中 (予約のみ)」を表す。確定後にレスポンスを書き込む。
+     *
+     * @see https://github.com/EC-CUBE/ec-cube/issues/6777
+     */
+    #[ORM\Table(name: 'dtb_agent_checkout_idempotency')]
+    #[ORM\Index(columns: ['create_date'], name: 'dtb_agent_checkout_idempotency_create_date_idx')]
+    #[ORM\UniqueConstraint(name: 'dtb_agent_checkout_idempotency_key_idx', columns: ['idempotency_key', 'subject'])]
+    #[ORM\InheritanceType('SINGLE_TABLE')]
+    #[ORM\DiscriminatorColumn(name: 'discriminator_type', type: 'string', length: 255)]
+    #[ORM\HasLifecycleCallbacks]
+    #[ORM\Entity(repositoryClass: AgentCheckoutIdempotencyRepository::class)]
+    class AgentCheckoutIdempotency extends AbstractEntity
+    {
+        #[ORM\Column(name: 'id', type: Types::INTEGER, options: ['unsigned' => true])]
+        #[ORM\Id]
+        #[ORM\GeneratedValue(strategy: 'IDENTITY')]
+        private ?int $id = null;
+
+        /**
+         * エージェントが指定した Idempotency-Key.
+         */
+        #[ORM\Column(name: 'idempotency_key', type: Types::STRING, length: 255)]
+        private string $idempotency_key = '';
+
+        /**
+         * 主体 (認証済みエージェント識別子)。未認証は空文字.
+         */
+        #[ORM\Column(name: 'subject', type: Types::STRING, length: 255)]
+        private string $subject = '';
+
+        /**
+         * リクエスト内容のハッシュ (同一キーの異パラメータ再利用検知用).
+         */
+        #[ORM\Column(name: 'request_hash', type: Types::STRING, length: 255)]
+        private string $request_hash = '';
+
+        /**
+         * 保存済みレスポンスの HTTP ステータス (処理中は NULL).
+         */
+        #[ORM\Column(name: 'response_status', type: Types::INTEGER, nullable: true)]
+        private ?int $response_status = null;
+
+        /**
+         * 保存済みレスポンスボディ (処理中は NULL).
+         *
+         * @var array<string, mixed>|null
+         */
+        #[ORM\Column(name: 'response_body', type: Types::JSON, nullable: true)]
+        private ?array $response_body = null;
+
+        #[ORM\Column(name: 'create_date', type: Types::DATETIMETZ_MUTABLE)]
+        private \DateTime $create_date;
+
+        #[ORM\Column(name: 'update_date', type: Types::DATETIMETZ_MUTABLE)]
+        private \DateTime $update_date;
+
+        public function getId(): ?int
+        {
+            return $this->id;
+        }
+
+        public function getIdempotencyKey(): string
+        {
+            return $this->idempotency_key;
+        }
+
+        public function setIdempotencyKey(string $idempotency_key): self
+        {
+            $this->idempotency_key = $idempotency_key;
+
+            return $this;
+        }
+
+        public function getSubject(): string
+        {
+            return $this->subject;
+        }
+
+        public function setSubject(string $subject): self
+        {
+            $this->subject = $subject;
+
+            return $this;
+        }
+
+        public function getRequestHash(): string
+        {
+            return $this->request_hash;
+        }
+
+        public function setRequestHash(string $request_hash): self
+        {
+            $this->request_hash = $request_hash;
+
+            return $this;
+        }
+
+        public function getResponseStatus(): ?int
+        {
+            return $this->response_status;
+        }
+
+        public function setResponseStatus(?int $response_status = null): self
+        {
+            $this->response_status = $response_status;
+
+            return $this;
+        }
+
+        /**
+         * @return array<string, mixed>|null
+         */
+        public function getResponseBody(): ?array
+        {
+            return $this->response_body;
+        }
+
+        /**
+         * @param array<string, mixed>|null $response_body
+         */
+        public function setResponseBody(?array $response_body = null): self
+        {
+            $this->response_body = $response_body;
+
+            return $this;
+        }
+
+        public function getCreateDate(): ?\DateTime
+        {
+            return $this->create_date ?? null;
+        }
+
+        public function setCreateDate(\DateTime $create_date): self
+        {
+            $this->create_date = $create_date;
+
+            return $this;
+        }
+
+        public function getUpdateDate(): ?\DateTime
+        {
+            return $this->update_date ?? null;
+        }
+
+        public function setUpdateDate(\DateTime $update_date): self
+        {
+            $this->update_date = $update_date;
+
+            return $this;
+        }
+
+        /**
+         * レスポンスが確定済か (処理中=予約のみは false).
+         */
+        public function hasResponse(): bool
+        {
+            return $this->response_status !== null;
+        }
+    }
+}
diff --git a/src/Eccube/Entity/BaseInfo.php b/src/Eccube/Entity/BaseInfo.php
index 042253f5157..b5e3fd92f66 100644
--- a/src/Eccube/Entity/BaseInfo.php
+++ b/src/Eccube/Entity/BaseInfo.php
@@ -154,6 +154,15 @@ class BaseInfo extends AbstractEntity
         #[ORM\Column(name: 'ga_id', type: Types::STRING, length: 255, nullable: true)]
         private ?string $gaId = null;
 
+        #[ORM\Column(name: 'acp_checkout_enabled', type: Types::BOOLEAN, options: ['default' => false])]
+        private bool $acp_checkout_enabled = false;
+
+        #[ORM\Column(name: 'ucp_checkout_enabled', type: Types::BOOLEAN, options: ['default' => false])]
+        private bool $ucp_checkout_enabled = false;
+
+        #[ORM\Column(name: 'ucp_catalog_requires_auth', type: Types::BOOLEAN, options: ['default' => false])]
+        private bool $ucp_catalog_requires_auth = false;
+
         /**
          * Get id.
          *
@@ -831,5 +840,59 @@ public function getGaId(): ?string
         {
             return $this->gaId;
         }
+
+        /**
+         * Set acpCheckoutEnabled.
+         */
+        public function setAcpCheckoutEnabled(bool $acpCheckoutEnabled): BaseInfo
+        {
+            $this->acp_checkout_enabled = $acpCheckoutEnabled;
+
+            return $this;
+        }
+
+        /**
+         * Get acpCheckoutEnabled.
+         */
+        public function isAcpCheckoutEnabled(): bool
+        {
+            return $this->acp_checkout_enabled;
+        }
+
+        /**
+         * Set ucpCheckoutEnabled.
+         */
+        public function setUcpCheckoutEnabled(bool $ucpCheckoutEnabled): BaseInfo
+        {
+            $this->ucp_checkout_enabled = $ucpCheckoutEnabled;
+
+            return $this;
+        }
+
+        /**
+         * Get ucpCheckoutEnabled.
+         */
+        public function isUcpCheckoutEnabled(): bool
+        {
+            return $this->ucp_checkout_enabled;
+        }
+
+        /**
+         * Set ucpCatalogRequiresAuth.
+         */
+        public function setUcpCatalogRequiresAuth(bool $ucpCatalogRequiresAuth): BaseInfo
+        {
+            $this->ucp_catalog_requires_auth = $ucpCatalogRequiresAuth;
+
+            return $this;
+        }
+
+        /**
+         * Get ucpCatalogRequiresAuth.
+         */
+        public function isUcpCatalogRequiresAuth(): bool
+        {
+            return $this->ucp_catalog_requires_auth;
+        }
     }
 }
diff --git a/src/Eccube/Entity/Cart.php b/src/Eccube/Entity/Cart.php
index ce85c4b14d3..a19ba10e541 100644
--- a/src/Eccube/Entity/Cart.php
+++ b/src/Eccube/Entity/Cart.php
@@ -45,6 +45,16 @@ class Cart extends AbstractEntity implements PurchaseInterface, ItemHolderInterf
         #[ORM\Column(name: 'cart_key', type: Types::STRING, nullable: true)]
         private ?string $cart_key = null;
 
+        /**
+         * エージェントコマース (CheckoutSession) が所有するカートか.
+         *
+         * true のカートは Web ストアフロント (CartService) のカート解決から除外され、
+         * ログイン会員のカートマージ・再計算・購入完了等で操作されない。
+         * 通常購入のカートは常に false。
+         */
+        #[ORM\Column(name: 'agent_owned', type: Types::BOOLEAN, options: ['default' => false])]
+        private bool $agent_owned = false;
+
         #[ORM\ManyToOne(targetEntity: Customer::class)]
         #[ORM\JoinColumn(name: 'customer_id', referencedColumnName: 'id')]
         private ?Customer $Customer = null;
@@ -125,6 +135,18 @@ public function setCartKey(string $cartKey): Cart
             return $this;
         }
 
+        public function isAgentOwned(): bool
+        {
+            return $this->agent_owned;
+        }
+
+        public function setAgentOwned(bool $agentOwned): Cart
+        {
+            $this->agent_owned = $agentOwned;
+
+            return $this;
+        }
+
         /**
          * @deprecated 使用しないので削除予定
          */
diff --git a/src/Eccube/Entity/CheckoutSession.php b/src/Eccube/Entity/CheckoutSession.php
new file mode 100644
index 00000000000..626836db8cf
--- /dev/null
+++ b/src/Eccube/Entity/CheckoutSession.php
@@ -0,0 +1,366 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Entity;
+
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Repository\CheckoutSessionRepository;
+
+if (!class_exists(CheckoutSession::class)) {
+    /**
+     * エージェントコマース (ACP/UCP) のチェックアウトセッション.
+     *
+     * プロトコル非依存の中核エンティティ。AI エージェントはブラウザセッション (Cookie) を持たないため、
+     * 通常購入の `Cart` がセッション (`cart_key`) で束ねられるのに対し、本エンティティが
+     * `session_id` (推測困難な公開識別子) で `Cart` をセッションレスに束ねる役割を担う。
+     *
+     * - 商品明細は `Cart`/`CartItem` を再利用 (本エンティティは Cart を関連で保持)。
+     * - 確定時は通常購入と同様に `pre_order_id` 経由で `Order` を生成・関連付ける。
+     * - `status` はプロトコル横断の正規化ステータス。プロトコル固有 status は `metadata` に保持する。
+     *
+     * @see https://github.com/EC-CUBE/ec-cube/issues/6777
+     */
+    #[ORM\Table(name: 'dtb_checkout_session')]
+    #[ORM\Index(columns: ['update_date'], name: 'dtb_checkout_session_update_date_idx')]
+    #[ORM\UniqueConstraint(name: 'dtb_checkout_session_session_id_idx', columns: ['session_id'])]
+    #[ORM\InheritanceType('SINGLE_TABLE')]
+    #[ORM\DiscriminatorColumn(name: 'discriminator_type', type: 'string', length: 255)]
+    #[ORM\HasLifecycleCallbacks]
+    #[ORM\Entity(repositoryClass: CheckoutSessionRepository::class)]
+    class CheckoutSession extends AbstractEntity
+    {
+        #[ORM\Column(name: 'id', type: Types::INTEGER, options: ['unsigned' => true])]
+        #[ORM\Id]
+        #[ORM\GeneratedValue(strategy: 'IDENTITY')]
+        private ?int $id = null;
+
+        /**
+         * エージェントへ公開するセッション識別子 (推測困難・API パスで使用).
+         *
+         * 整数 PK は列挙可能なため、外部公開用にはこの不透明な識別子を用いる。
+         */
+        #[ORM\Column(name: 'session_id', type: Types::STRING, length: 255)]
+        private string $session_id = '';
+
+        /**
+         * プロトコル種別 (ACP / UCP) マスタへの参照.
+         */
+        #[ORM\ManyToOne(targetEntity: AgentProtocol::class)]
+        #[ORM\JoinColumn(name: 'agent_protocol_id', referencedColumnName: 'id')]
+        private ?AgentProtocol $Protocol = null;
+
+        /**
+         * セッションを開始したエージェントの識別子.
+         */
+        #[ORM\Column(name: 'agent_id', type: Types::STRING, length: 255, nullable: true)]
+        private ?string $agent_id = null;
+
+        /**
+         * 正規化ステータス (incomplete/ready/completed/canceled/expired) マスタへの参照.
+         */
+        #[ORM\ManyToOne(targetEntity: CheckoutSessionStatus::class)]
+        #[ORM\JoinColumn(name: 'checkout_session_status_id', referencedColumnName: 'id')]
+        private ?CheckoutSessionStatus $Status = null;
+
+        /**
+         * 通貨コード (ISO 4217 alpha-3).
+         */
+        #[ORM\Column(name: 'currency_code', type: Types::STRING, length: 3)]
+        private string $currency_code = 'JPY';
+
+        /**
+         * セッションの有効期限.
+         */
+        #[ORM\Column(name: 'expires_at', type: Types::DATETIMETZ_MUTABLE, nullable: true)]
+        private ?\DateTime $expires_at = null;
+
+        /**
+         * 購入者情報 (氏名・住所・連絡先等) の中立表現.
+         *
+         * @var array<string, mixed>|null
+         */
+        #[ORM\Column(name: 'buyer_data', type: Types::JSON, nullable: true)]
+        private ?array $buyer_data = null;
+
+        /**
+         * 配送 (fulfillment) 情報の中立表現.
+         *
+         * @var array<string, mixed>|null
+         */
+        #[ORM\Column(name: 'fulfillment_data', type: Types::JSON, nullable: true)]
+        private ?array $fulfillment_data = null;
+
+        /**
+         * 支払情報の中立表現 (token はマスキング/暗号化して保持).
+         *
+         * @var array<string, mixed>|null
+         */
+        #[ORM\Column(name: 'payment_data', type: Types::JSON, nullable: true)]
+        private ?array $payment_data = null;
+
+        /**
+         * プロトコル固有のメタデータ (正規化ステータスに収まらない情報を保持).
+         *
+         * @var array<string, mixed>|null
+         */
+        #[ORM\Column(name: 'metadata', type: Types::JSON, nullable: true)]
+        private ?array $metadata = null;
+
+        /**
+         * 明細を保持する Cart (セッションレスに束ねる対象).
+         */
+        #[ORM\ManyToOne(targetEntity: Cart::class)]
+        #[ORM\JoinColumn(name: 'cart_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+        private ?Cart $Cart = null;
+
+        /**
+         * 確定時に生成される Order (完了前は null).
+         */
+        #[ORM\ManyToOne(targetEntity: Order::class)]
+        #[ORM\JoinColumn(name: 'order_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+        private ?Order $Order = null;
+
+        /**
+         * 紐づく会員 (ゲスト購入では null).
+         */
+        #[ORM\ManyToOne(targetEntity: Customer::class)]
+        #[ORM\JoinColumn(name: 'customer_id', referencedColumnName: 'id', nullable: true, onDelete: 'SET NULL')]
+        private ?Customer $Customer = null;
+
+        #[ORM\Column(name: 'create_date', type: Types::DATETIMETZ_MUTABLE)]
+        private \DateTime $create_date;
+
+        #[ORM\Column(name: 'update_date', type: Types::DATETIMETZ_MUTABLE)]
+        private \DateTime $update_date;
+
+        public function getId(): ?int
+        {
+            return $this->id;
+        }
+
+        public function getSessionId(): string
+        {
+            return $this->session_id;
+        }
+
+        public function setSessionId(string $session_id): CheckoutSession
+        {
+            $this->session_id = $session_id;
+
+            return $this;
+        }
+
+        public function getProtocol(): ?AgentProtocol
+        {
+            return $this->Protocol;
+        }
+
+        public function setProtocol(?AgentProtocol $Protocol = null): CheckoutSession
+        {
+            $this->Protocol = $Protocol;
+
+            return $this;
+        }
+
+        public function getAgentId(): ?string
+        {
+            return $this->agent_id;
+        }
+
+        public function setAgentId(?string $agent_id = null): CheckoutSession
+        {
+            $this->agent_id = $agent_id;
+
+            return $this;
+        }
+
+        public function getStatus(): ?CheckoutSessionStatus
+        {
+            return $this->Status;
+        }
+
+        public function setStatus(?CheckoutSessionStatus $Status = null): CheckoutSession
+        {
+            $this->Status = $Status;
+
+            return $this;
+        }
+
+        public function getCurrencyCode(): string
+        {
+            return $this->currency_code;
+        }
+
+        public function setCurrencyCode(string $currency_code): CheckoutSession
+        {
+            $this->currency_code = $currency_code;
+
+            return $this;
+        }
+
+        public function getExpiresAt(): ?\DateTime
+        {
+            return $this->expires_at;
+        }
+
+        public function setExpiresAt(?\DateTime $expires_at = null): CheckoutSession
+        {
+            $this->expires_at = $expires_at;
+
+            return $this;
+        }
+
+        /**
+         * @return array<string, mixed>|null
+         */
+        public function getBuyerData(): ?array
+        {
+            return $this->buyer_data;
+        }
+
+        /**
+         * @param array<string, mixed>|null $buyer_data
+         */
+        public function setBuyerData(?array $buyer_data = null): CheckoutSession
+        {
+            $this->buyer_data = $buyer_data;
+
+            return $this;
+        }
+
+        /**
+         * @return array<string, mixed>|null
+         */
+        public function getFulfillmentData(): ?array
+        {
+            return $this->fulfillment_data;
+        }
+
+        /**
+         * @param array<string, mixed>|null $fulfillment_data
+         */
+        public function setFulfillmentData(?array $fulfillment_data = null): CheckoutSession
+        {
+            $this->fulfillment_data = $fulfillment_data;
+
+            return $this;
+        }
+
+        /**
+         * @return array<string, mixed>|null
+         */
+        public function getPaymentData(): ?array
+        {
+            return $this->payment_data;
+        }
+
+        /**
+         * @param array<string, mixed>|null $payment_data
+         */
+        public function setPaymentData(?array $payment_data = null): CheckoutSession
+        {
+            $this->payment_data = $payment_data;
+
+            return $this;
+        }
+
+        /**
+         * @return array<string, mixed>|null
+         */
+        public function getMetadata(): ?array
+        {
+            return $this->metadata;
+        }
+
+        /**
+         * @param array<string, mixed>|null $metadata
+         */
+        public function setMetadata(?array $metadata = null): CheckoutSession
+        {
+            $this->metadata = $metadata;
+
+            return $this;
+        }
+
+        public function getCart(): ?Cart
+        {
+            return $this->Cart;
+        }
+
+        public function setCart(?Cart $Cart = null): CheckoutSession
+        {
+            $this->Cart = $Cart;
+
+            return $this;
+        }
+
+        public function getOrder(): ?Order
+        {
+            return $this->Order;
+        }
+
+        public function setOrder(?Order $Order = null): CheckoutSession
+        {
+            $this->Order = $Order;
+
+            return $this;
+        }
+
+        public function getCustomer(): ?Customer
+        {
+            return $this->Customer;
+        }
+
+        public function setCustomer(?Customer $Customer = null): CheckoutSession
+        {
+            $this->Customer = $Customer;
+
+            return $this;
+        }
+
+        public function getCreateDate(): ?\DateTime
+        {
+            return $this->create_date ?? null;
+        }
+
+        public function setCreateDate(\DateTime $create_date): CheckoutSession
+        {
+            $this->create_date = $create_date;
+
+            return $this;
+        }
+
+        public function getUpdateDate(): ?\DateTime
+        {
+            return $this->update_date ?? null;
+        }
+
+        public function setUpdateDate(\DateTime $update_date): CheckoutSession
+        {
+            $this->update_date = $update_date;
+
+            return $this;
+        }
+
+        /**
+         * 有効期限を過ぎているか.
+         */
+        public function isExpired(\DateTime $now): bool
+        {
+            return $this->expires_at !== null && $this->expires_at <= $now;
+        }
+    }
+}
diff --git a/src/Eccube/Entity/Master/AgentProtocol.php b/src/Eccube/Entity/Master/AgentProtocol.php
new file mode 100644
index 00000000000..16292b49ce5
--- /dev/null
+++ b/src/Eccube/Entity/Master/AgentProtocol.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Entity\Master;
+
+use Doctrine\ORM\Mapping as ORM;
+use Eccube\Repository\Master\AgentProtocolRepository;
+
+if (!class_exists(AgentProtocol::class, false)) {
+    /**
+     * AgentProtocol.
+     *
+     * エージェントコマースのプロトコル種別マスタ (ACP / UCP)。
+     * `CheckoutSession` と `Order.agent_protocol` の双方から参照されるため、
+     * 文字列での二重管理を避けてマスタ化している。
+     * `name` には正準識別子 (`acp`/`ucp`) を保持する (ロケール非依存・ja/en 共通)。
+     */
+    #[ORM\Table(name: 'mtb_agent_protocol')]
+    #[ORM\InheritanceType('SINGLE_TABLE')]
+    #[ORM\DiscriminatorColumn(name: 'discriminator_type', type: 'string', length: 255)]
+    #[ORM\HasLifecycleCallbacks]
+    #[ORM\Entity(repositoryClass: AgentProtocolRepository::class)]
+    #[ORM\Cache(usage: 'NONSTRICT_READ_WRITE')]
+    class AgentProtocol extends AbstractMasterEntity
+    {
+        /** Agentic Commerce Protocol (OpenAI + Stripe). */
+        public const ACP = 1;
+
+        /** Universal Commerce Protocol (ucp.dev / Google). */
+        public const UCP = 2;
+    }
+}
diff --git a/src/Eccube/Entity/Master/CheckoutSessionStatus.php b/src/Eccube/Entity/Master/CheckoutSessionStatus.php
new file mode 100644
index 00000000000..fdd53984572
--- /dev/null
+++ b/src/Eccube/Entity/Master/CheckoutSessionStatus.php
@@ -0,0 +1,62 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Entity\Master;
+
+use Doctrine\ORM\Mapping as ORM;
+use Eccube\Repository\Master\CheckoutSessionStatusRepository;
+
+if (!class_exists(CheckoutSessionStatus::class, false)) {
+    /**
+     * CheckoutSessionStatus.
+     *
+     * エージェントコマース (ACP/UCP) チェックアウトセッションの正規化ステータスマスタ。
+     * `name` にはプロトコル横断の正準識別子
+     * (`incomplete`/`ready`/`requires_action`/`in_progress`/`completed`/`canceled`/`expired`)
+     * を保持する (ロケール非依存・ja/en 共通)。表示ラベルではなく機械可読値である点に注意。
+     *
+     * `requires_action` / `in_progress` は**非終端だが在庫を引当済み**の中間状態であり、
+     * complete の状態機械 ({@link \Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutCompletionService})
+     * が遷移させる。期限切れ回収 ({@link \Eccube\Repository\CheckoutSessionRepository::findExpired}) の
+     * 対象に含まれる (終端は completed/canceled/expired のみ)。
+     */
+    #[ORM\Table(name: 'mtb_checkout_session_status')]
+    #[ORM\InheritanceType('SINGLE_TABLE')]
+    #[ORM\DiscriminatorColumn(name: 'discriminator_type', type: 'string', length: 255)]
+    #[ORM\HasLifecycleCallbacks]
+    #[ORM\Entity(repositoryClass: CheckoutSessionStatusRepository::class)]
+    #[ORM\Cache(usage: 'NONSTRICT_READ_WRITE')]
+    class CheckoutSessionStatus extends AbstractMasterEntity
+    {
+        /** 未完了 (作成直後・住所/配送/支払が未確定). */
+        public const INCOMPLETE = 1;
+
+        /** 確定可能 (必須項目が揃い complete を実行できる). */
+        public const READY = 2;
+
+        /** 完了 (Order 生成済). */
+        public const COMPLETED = 3;
+
+        /** 取消. */
+        public const CANCELED = 4;
+
+        /** 期限切れ. */
+        public const EXPIRED = 5;
+
+        /** 追加対応待ち (3DS challenge / escalation)。在庫は引当のまま保持し再開 complete を待つ. */
+        public const REQUIRES_ACTION = 6;
+
+        /** 非同期決済の確定待ち (PSP の IPN/Webhook で completed へ遷移). */
+        public const IN_PROGRESS = 7;
+    }
+}
diff --git a/src/Eccube/Entity/Master/CountryIsoCode.php b/src/Eccube/Entity/Master/CountryIsoCode.php
new file mode 100644
index 00000000000..345fd81ffda
--- /dev/null
+++ b/src/Eccube/Entity/Master/CountryIsoCode.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Entity\Master;
+
+use Doctrine\ORM\Mapping as ORM;
+use Eccube\Repository\Master\CountryIsoCodeRepository;
+
+if (!class_exists(CountryIsoCode::class, false)) {
+    /**
+     * CountryIsoCode.
+     *
+     * 国の ISO 3166-1 numeric (= mtb_country.id) と alpha-2 コードの対応マスタ。
+     * 固定スキーマ (id/name/sort_no/discriminator_type) に従い、
+     * id に ISO numeric、name に alpha-2 コード (例: US, JP) を格納する。
+     */
+    #[ORM\Table(name: 'mtb_country_iso_code')]
+    #[ORM\InheritanceType('SINGLE_TABLE')]
+    #[ORM\DiscriminatorColumn(name: 'discriminator_type', type: 'string', length: 255)]
+    #[ORM\HasLifecycleCallbacks]
+    #[ORM\Entity(repositoryClass: CountryIsoCodeRepository::class)]
+    #[ORM\Cache(usage: 'NONSTRICT_READ_WRITE')]
+    class CountryIsoCode extends AbstractMasterEntity
+    {
+    }
+}
diff --git a/src/Eccube/Entity/Order.php b/src/Eccube/Entity/Order.php
index c3bdabdd322..84a9dc460f9 100644
--- a/src/Eccube/Entity/Order.php
+++ b/src/Eccube/Entity/Order.php
@@ -19,6 +19,7 @@
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping as ORM;
 use Doctrine\ORM\PersistentCollection;
+use Eccube\Entity\Master\AgentProtocol;
 use Eccube\Entity\Master\Country;
 use Eccube\Entity\Master\CustomerOrderStatus;
 use Eccube\Entity\Master\DeviceType;
@@ -474,6 +475,23 @@ public function getTotalPrice(): string
         #[ORM\Column(name: 'complete_mail_message', type: Types::TEXT, nullable: true)]
         private ?string $complete_mail_message = null;
 
+        /**
+         * エージェントコマース (ACP/UCP) 経由の注文のプロトコル種別マスタへの参照.
+         *
+         * 通常購入では null。エージェント経由の注文でのみ ACP / UCP がセットされる。
+         */
+        #[ORM\ManyToOne(targetEntity: AgentProtocol::class)]
+        #[ORM\JoinColumn(name: 'agent_protocol_id', referencedColumnName: 'id')]
+        private ?AgentProtocol $AgentProtocol = null;
+
+        /**
+         * エージェントコマース経由の注文を発行したエージェントの識別子.
+         *
+         * 通常購入では null。
+         */
+        #[ORM\Column(name: 'agent_id', type: Types::STRING, length: 255, nullable: true)]
+        private ?string $agent_id = null;
+
         /**
          * @var Collection<int, OrderItem>
          */
@@ -1177,6 +1195,30 @@ public function appendCompleteMailMessage(?string $complete_mail_message = null)
             return $this;
         }
 
+        public function getAgentProtocol(): ?AgentProtocol
+        {
+            return $this->AgentProtocol;
+        }
+
+        public function setAgentProtocol(?AgentProtocol $AgentProtocol = null): Order
+        {
+            $this->AgentProtocol = $AgentProtocol;
+
+            return $this;
+        }
+
+        public function getAgentId(): ?string
+        {
+            return $this->agent_id;
+        }
+
+        public function setAgentId(?string $agent_id = null): Order
+        {
+            $this->agent_id = $agent_id;
+
+            return $this;
+        }
+
         /**
          * 商品の受注明細を取得
          *
diff --git a/src/Eccube/Form/Type/Admin/ShopMasterType.php b/src/Eccube/Form/Type/Admin/ShopMasterType.php
index ec5f4de8a9c..2bf342d587e 100644
--- a/src/Eccube/Form/Type/Admin/ShopMasterType.php
+++ b/src/Eccube/Form/Type/Admin/ShopMasterType.php
@@ -218,6 +218,9 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
                     ]),
                 ],
             ])
+            // エージェントコマース checkout の有効化フラグ (discovery / catalog は常時公開、checkout のみ制御)
+            ->add('acp_checkout_enabled', ToggleSwitchType::class)
+            ->add('ucp_checkout_enabled', ToggleSwitchType::class)
         ;
 
         $builder->add(
diff --git a/src/Eccube/Repository/AgentCheckoutIdempotencyRepository.php b/src/Eccube/Repository/AgentCheckoutIdempotencyRepository.php
new file mode 100644
index 00000000000..d8da0528910
--- /dev/null
+++ b/src/Eccube/Repository/AgentCheckoutIdempotencyRepository.php
@@ -0,0 +1,55 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Repository;
+
+use Doctrine\Persistence\ManagerRegistry as RegistryInterface;
+use Eccube\Entity\AgentCheckoutIdempotency;
+
+/**
+ * AgentCheckoutIdempotencyRepository
+ *
+ * @extends AbstractRepository<AgentCheckoutIdempotency>
+ */
+class AgentCheckoutIdempotencyRepository extends AbstractRepository
+{
+    public function __construct(RegistryInterface $registry)
+    {
+        parent::__construct($registry, AgentCheckoutIdempotency::class);
+    }
+
+    /**
+     * Idempotency-Key と主体で 1 件取得する.
+     */
+    public function findOneByKeyAndSubject(string $key, string $subject): ?AgentCheckoutIdempotency
+    {
+        return $this->findOneBy(['idempotency_key' => $key, 'subject' => $subject]);
+    }
+
+    /**
+     * 指定時刻より前に作成された記録を削除する (保管期間超過分のクリーンアップ用).
+     *
+     * クリーンアップコマンド (派生 issue) から利用する想定。
+     *
+     * @return int 削除件数
+     */
+    public function deleteOlderThan(\DateTime $threshold): int
+    {
+        return (int) $this->createQueryBuilder('i')
+            ->delete()
+            ->where('i.create_date < :threshold')
+            ->setParameter('threshold', $threshold)
+            ->getQuery()
+            ->execute();
+    }
+}
diff --git a/src/Eccube/Repository/CheckoutSessionRepository.php b/src/Eccube/Repository/CheckoutSessionRepository.php
new file mode 100644
index 00000000000..75400f0deb9
--- /dev/null
+++ b/src/Eccube/Repository/CheckoutSessionRepository.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Repository;
+
+use Doctrine\Persistence\ManagerRegistry as RegistryInterface;
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+
+/**
+ * CheckoutSessionRepository
+ *
+ * @extends AbstractRepository<CheckoutSession>
+ */
+class CheckoutSessionRepository extends AbstractRepository
+{
+    public function __construct(RegistryInterface $registry)
+    {
+        parent::__construct($registry, CheckoutSession::class);
+    }
+
+    /**
+     * エージェント公開用のセッション識別子で 1 件取得する.
+     */
+    public function findOneBySessionId(string $sessionId): ?CheckoutSession
+    {
+        return $this->findOneBy(['session_id' => $sessionId]);
+    }
+
+    /**
+     * 指定時刻より前に有効期限が切れた未完了セッションを取得する.
+     *
+     * クリーンアップコマンド (派生 issue) から利用する想定。
+     *
+     * @return array<int, CheckoutSession>
+     */
+    public function findExpired(\DateTime $now): array
+    {
+        $qb = $this->createQueryBuilder('cs');
+
+        /** @var array<int, CheckoutSession> $result */
+        $result = $qb
+            ->where('cs.expires_at IS NOT NULL')
+            ->andWhere('cs.expires_at < :now')
+            ->andWhere($qb->expr()->orX(
+                'cs.Status IS NULL',
+                $qb->expr()->notIn('IDENTITY(cs.Status)', ':terminalStatuses')
+            ))
+            ->setParameter('now', $now)
+            ->setParameter('terminalStatuses', [
+                CheckoutSessionStatus::COMPLETED,
+                CheckoutSessionStatus::CANCELED,
+                CheckoutSessionStatus::EXPIRED,
+            ])
+            ->getQuery()
+            ->getResult();
+
+        return $result;
+    }
+}
diff --git a/src/Eccube/Repository/Master/AgentProtocolRepository.php b/src/Eccube/Repository/Master/AgentProtocolRepository.php
new file mode 100644
index 00000000000..d61f64cd6cc
--- /dev/null
+++ b/src/Eccube/Repository/Master/AgentProtocolRepository.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Repository\Master;
+
+use Doctrine\Persistence\ManagerRegistry as RegistryInterface;
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Repository\AbstractRepository;
+
+/**
+ * @extends AbstractRepository<AgentProtocol>
+ */
+class AgentProtocolRepository extends AbstractRepository
+{
+    public function __construct(RegistryInterface $registry)
+    {
+        parent::__construct($registry, AgentProtocol::class);
+    }
+}
diff --git a/src/Eccube/Repository/Master/CheckoutSessionStatusRepository.php b/src/Eccube/Repository/Master/CheckoutSessionStatusRepository.php
new file mode 100644
index 00000000000..5cd6f8e6bbc
--- /dev/null
+++ b/src/Eccube/Repository/Master/CheckoutSessionStatusRepository.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Repository\Master;
+
+use Doctrine\Persistence\ManagerRegistry as RegistryInterface;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Repository\AbstractRepository;
+
+/**
+ * @extends AbstractRepository<CheckoutSessionStatus>
+ */
+class CheckoutSessionStatusRepository extends AbstractRepository
+{
+    public function __construct(RegistryInterface $registry)
+    {
+        parent::__construct($registry, CheckoutSessionStatus::class);
+    }
+}
diff --git a/src/Eccube/Repository/Master/CountryIsoCodeRepository.php b/src/Eccube/Repository/Master/CountryIsoCodeRepository.php
new file mode 100644
index 00000000000..149bc547b97
--- /dev/null
+++ b/src/Eccube/Repository/Master/CountryIsoCodeRepository.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Repository\Master;
+
+use Doctrine\Persistence\ManagerRegistry as RegistryInterface;
+use Eccube\Entity\Master\CountryIsoCode;
+use Eccube\Repository\AbstractRepository;
+
+/**
+ * CountryIsoCodeRepository.
+ *
+ * @extends AbstractRepository<CountryIsoCode>
+ */
+class CountryIsoCodeRepository extends AbstractRepository
+{
+    public function __construct(RegistryInterface $registry)
+    {
+        parent::__construct($registry, CountryIsoCode::class);
+    }
+}
diff --git a/src/Eccube/Resource/doctrine/import_csv/en/definition.yml b/src/Eccube/Resource/doctrine/import_csv/en/definition.yml
index bd8383c3485..588b3553fd8 100644
--- a/src/Eccube/Resource/doctrine/import_csv/en/definition.yml
+++ b/src/Eccube/Resource/doctrine/import_csv/en/definition.yml
@@ -1,5 +1,8 @@
+- mtb_agent_protocol.csv
 - mtb_authority.csv
+- mtb_checkout_session_status.csv
 - mtb_country.csv
+- mtb_country_iso_code.csv
 - mtb_csv_type.csv
 - mtb_customer_order_status.csv
 - mtb_customer_status.csv
diff --git a/src/Eccube/Resource/doctrine/import_csv/en/dtb_base_info.csv b/src/Eccube/Resource/doctrine/import_csv/en/dtb_base_info.csv
index 95a7ffd2662..2e993540906 100644
--- a/src/Eccube/Resource/doctrine/import_csv/en/dtb_base_info.csv
+++ b/src/Eccube/Resource/doctrine/import_csv/en/dtb_base_info.csv
@@ -1 +1 @@
-id,country_id,pref_id,company_name,company_kana,postal_code,addr01,addr02,phone_number,business_hour,email01,email02,email03,email04,shop_name,shop_kana,shop_name_eng,update_date,good_traded,message,delivery_free_amount,delivery_free_quantity,option_mypage_order_status_display,option_nostock_hidden,option_favorite_product,option_product_delivery_fee,option_product_tax_rule,option_customer_activate,option_guest_purchase,option_remember_me,option_mail_notifier,authentication_key,option_point,basic_point_rate,point_conversion_rate,discriminator_type
+id,country_id,pref_id,company_name,company_kana,postal_code,addr01,addr02,phone_number,business_hour,email01,email02,email03,email04,shop_name,shop_kana,shop_name_eng,update_date,good_traded,message,delivery_free_amount,delivery_free_quantity,option_mypage_order_status_display,option_nostock_hidden,option_favorite_product,option_product_delivery_fee,option_product_tax_rule,option_customer_activate,option_guest_purchase,option_remember_me,option_mail_notifier,authentication_key,option_point,basic_point_rate,point_conversion_rate,discriminator_type,acp_checkout_enabled,ucp_checkout_enabled,ucp_catalog_requires_auth
diff --git a/src/Eccube/Resource/doctrine/import_csv/en/mtb_agent_protocol.csv b/src/Eccube/Resource/doctrine/import_csv/en/mtb_agent_protocol.csv
new file mode 100644
index 00000000000..575027df7fe
--- /dev/null
+++ b/src/Eccube/Resource/doctrine/import_csv/en/mtb_agent_protocol.csv
@@ -0,0 +1,3 @@
+id,name,sort_no,discriminator_type
+"1","acp","1","agentprotocol"
+"2","ucp","2","agentprotocol"
diff --git a/src/Eccube/Resource/doctrine/import_csv/en/mtb_checkout_session_status.csv b/src/Eccube/Resource/doctrine/import_csv/en/mtb_checkout_session_status.csv
new file mode 100644
index 00000000000..5a90d4ad32d
--- /dev/null
+++ b/src/Eccube/Resource/doctrine/import_csv/en/mtb_checkout_session_status.csv
@@ -0,0 +1,8 @@
+id,name,sort_no,discriminator_type
+"1","incomplete","1","checkoutsessionstatus"
+"2","ready","2","checkoutsessionstatus"
+"3","completed","3","checkoutsessionstatus"
+"4","canceled","4","checkoutsessionstatus"
+"5","expired","5","checkoutsessionstatus"
+"6","requires_action","6","checkoutsessionstatus"
+"7","in_progress","7","checkoutsessionstatus"
diff --git a/src/Eccube/Resource/doctrine/import_csv/en/mtb_country_iso_code.csv b/src/Eccube/Resource/doctrine/import_csv/en/mtb_country_iso_code.csv
new file mode 100644
index 00000000000..941bd5c983f
--- /dev/null
+++ b/src/Eccube/Resource/doctrine/import_csv/en/mtb_country_iso_code.csv
@@ -0,0 +1,250 @@
+id,name,sort_no,discriminator_type
+"352","IS","1","countryisocode"
+"372","IE","2","countryisocode"
+"31","AZ","3","countryisocode"
+"4","AF","4","countryisocode"
+"840","US","5","countryisocode"
+"850","VI","6","countryisocode"
+"16","AS","7","countryisocode"
+"784","AE","8","countryisocode"
+"12","DZ","9","countryisocode"
+"32","AR","10","countryisocode"
+"533","AW","11","countryisocode"
+"8","AL","12","countryisocode"
+"51","AM","13","countryisocode"
+"660","AI","14","countryisocode"
+"24","AO","15","countryisocode"
+"28","AG","16","countryisocode"
+"20","AD","17","countryisocode"
+"887","YE","18","countryisocode"
+"826","GB","19","countryisocode"
+"86","IO","20","countryisocode"
+"92","VG","21","countryisocode"
+"376","IL","22","countryisocode"
+"380","IT","23","countryisocode"
+"368","IQ","24","countryisocode"
+"364","IR","25","countryisocode"
+"356","IN","26","countryisocode"
+"360","ID","27","countryisocode"
+"876","WF","28","countryisocode"
+"800","UG","29","countryisocode"
+"804","UA","30","countryisocode"
+"860","UZ","31","countryisocode"
+"858","UY","32","countryisocode"
+"218","EC","33","countryisocode"
+"818","EG","34","countryisocode"
+"233","EE","35","countryisocode"
+"231","ET","36","countryisocode"
+"232","ER","37","countryisocode"
+"222","SV","38","countryisocode"
+"36","AU","39","countryisocode"
+"40","AT","40","countryisocode"
+"248","AX","41","countryisocode"
+"512","OM","42","countryisocode"
+"528","NL","43","countryisocode"
+"288","GH","44","countryisocode"
+"132","CV","45","countryisocode"
+"831","GG","46","countryisocode"
+"328","GY","47","countryisocode"
+"398","KZ","48","countryisocode"
+"634","QA","49","countryisocode"
+"581","UM","50","countryisocode"
+"124","CA","51","countryisocode"
+"266","GA","52","countryisocode"
+"120","CM","53","countryisocode"
+"270","GM","54","countryisocode"
+"116","KH","55","countryisocode"
+"580","MP","56","countryisocode"
+"324","GN","57","countryisocode"
+"624","GW","58","countryisocode"
+"196","CY","59","countryisocode"
+"192","CU","60","countryisocode"
+"531","CW","61","countryisocode"
+"300","GR","62","countryisocode"
+"296","KI","63","countryisocode"
+"417","KG","64","countryisocode"
+"320","GT","65","countryisocode"
+"312","GP","66","countryisocode"
+"316","GU","67","countryisocode"
+"414","KW","68","countryisocode"
+"184","CK","69","countryisocode"
+"304","GL","70","countryisocode"
+"162","CX","71","countryisocode"
+"268","GE","72","countryisocode"
+"308","GD","73","countryisocode"
+"191","HR","74","countryisocode"
+"136","KY","75","countryisocode"
+"404","KE","76","countryisocode"
+"384","CI","77","countryisocode"
+"166","CC","78","countryisocode"
+"188","CR","79","countryisocode"
+"174","KM","80","countryisocode"
+"170","CO","81","countryisocode"
+"178","CG","82","countryisocode"
+"180","CD","83","countryisocode"
+"682","SA","84","countryisocode"
+"239","GS","85","countryisocode"
+"882","WS","86","countryisocode"
+"678","ST","87","countryisocode"
+"652","BL","88","countryisocode"
+"894","ZM","89","countryisocode"
+"666","PM","90","countryisocode"
+"674","SM","91","countryisocode"
+"663","MF","92","countryisocode"
+"694","SL","93","countryisocode"
+"262","DJ","94","countryisocode"
+"292","GI","95","countryisocode"
+"832","JE","96","countryisocode"
+"388","JM","97","countryisocode"
+"760","SY","98","countryisocode"
+"702","SG","99","countryisocode"
+"534","SX","100","countryisocode"
+"716","ZW","101","countryisocode"
+"756","CH","102","countryisocode"
+"752","SE","103","countryisocode"
+"729","SD","104","countryisocode"
+"744","SJ","105","countryisocode"
+"724","ES","106","countryisocode"
+"740","SR","107","countryisocode"
+"144","LK","108","countryisocode"
+"703","SK","109","countryisocode"
+"705","SI","110","countryisocode"
+"748","SZ","111","countryisocode"
+"690","SC","112","countryisocode"
+"226","GQ","113","countryisocode"
+"686","SN","114","countryisocode"
+"688","RS","115","countryisocode"
+"659","KN","116","countryisocode"
+"670","VC","117","countryisocode"
+"426","LS","118","countryisocode"
+"654","SH","119","countryisocode"
+"662","LC","120","countryisocode"
+"706","SO","121","countryisocode"
+"90","SB","122","countryisocode"
+"796","TC","123","countryisocode"
+"764","TH","124","countryisocode"
+"410","KR","125","countryisocode"
+"158","TW","126","countryisocode"
+"762","TJ","127","countryisocode"
+"834","TZ","128","countryisocode"
+"203","CZ","129","countryisocode"
+"148","TD","130","countryisocode"
+"140","CF","131","countryisocode"
+"156","CN","132","countryisocode"
+"788","TN","133","countryisocode"
+"408","KP","134","countryisocode"
+"152","CL","135","countryisocode"
+"798","TV","136","countryisocode"
+"208","DK","137","countryisocode"
+"276","DE","138","countryisocode"
+"768","TG","139","countryisocode"
+"772","TK","140","countryisocode"
+"214","DO","141","countryisocode"
+"212","DM","142","countryisocode"
+"780","TT","143","countryisocode"
+"795","TM","144","countryisocode"
+"792","TR","145","countryisocode"
+"776","TO","146","countryisocode"
+"566","NG","147","countryisocode"
+"520","NR","148","countryisocode"
+"516","NA","149","countryisocode"
+"10","AQ","150","countryisocode"
+"570","NU","151","countryisocode"
+"558","NI","152","countryisocode"
+"562","NE","153","countryisocode"
+"392","JP","154","countryisocode"
+"732","EH","155","countryisocode"
+"540","NC","156","countryisocode"
+"554","NZ","157","countryisocode"
+"524","NP","158","countryisocode"
+"574","NF","159","countryisocode"
+"578","NO","160","countryisocode"
+"334","HM","161","countryisocode"
+"48","BH","162","countryisocode"
+"332","HT","163","countryisocode"
+"586","PK","164","countryisocode"
+"336","VA","165","countryisocode"
+"591","PA","166","countryisocode"
+"548","VU","167","countryisocode"
+"44","BS","168","countryisocode"
+"598","PG","169","countryisocode"
+"60","BM","170","countryisocode"
+"585","PW","171","countryisocode"
+"600","PY","172","countryisocode"
+"52","BB","173","countryisocode"
+"275","PS","174","countryisocode"
+"348","HU","175","countryisocode"
+"50","BD","176","countryisocode"
+"626","TL","177","countryisocode"
+"612","PN","178","countryisocode"
+"242","FJ","179","countryisocode"
+"608","PH","180","countryisocode"
+"246","FI","181","countryisocode"
+"64","BT","182","countryisocode"
+"74","BV","183","countryisocode"
+"630","PR","184","countryisocode"
+"234","FO","185","countryisocode"
+"238","FK","186","countryisocode"
+"76","BR","187","countryisocode"
+"250","FR","188","countryisocode"
+"254","GF","189","countryisocode"
+"258","PF","190","countryisocode"
+"260","TF","191","countryisocode"
+"100","BG","192","countryisocode"
+"854","BF","193","countryisocode"
+"96","BN","194","countryisocode"
+"108","BI","195","countryisocode"
+"704","VN","196","countryisocode"
+"204","BJ","197","countryisocode"
+"862","VE","198","countryisocode"
+"112","BY","199","countryisocode"
+"84","BZ","200","countryisocode"
+"604","PE","201","countryisocode"
+"56","BE","202","countryisocode"
+"616","PL","203","countryisocode"
+"70","BA","204","countryisocode"
+"72","BW","205","countryisocode"
+"535","BQ","206","countryisocode"
+"68","BO","207","countryisocode"
+"620","PT","208","countryisocode"
+"344","HK","209","countryisocode"
+"340","HN","210","countryisocode"
+"584","MH","211","countryisocode"
+"446","MO","212","countryisocode"
+"807","MK","213","countryisocode"
+"450","MG","214","countryisocode"
+"175","YT","215","countryisocode"
+"454","MW","216","countryisocode"
+"466","ML","217","countryisocode"
+"470","MT","218","countryisocode"
+"474","MQ","219","countryisocode"
+"458","MY","220","countryisocode"
+"833","IM","221","countryisocode"
+"583","FM","222","countryisocode"
+"710","ZA","223","countryisocode"
+"728","SS","224","countryisocode"
+"104","MM","225","countryisocode"
+"484","MX","226","countryisocode"
+"480","MU","227","countryisocode"
+"478","MR","228","countryisocode"
+"508","MZ","229","countryisocode"
+"492","MC","230","countryisocode"
+"462","MV","231","countryisocode"
+"498","MD","232","countryisocode"
+"504","MA","233","countryisocode"
+"496","MN","234","countryisocode"
+"499","ME","235","countryisocode"
+"500","MS","236","countryisocode"
+"400","JO","237","countryisocode"
+"418","LA","238","countryisocode"
+"428","LV","239","countryisocode"
+"440","LT","240","countryisocode"
+"434","LY","241","countryisocode"
+"438","LI","242","countryisocode"
+"430","LR","243","countryisocode"
+"642","RO","244","countryisocode"
+"442","LU","245","countryisocode"
+"646","RW","246","countryisocode"
+"422","LB","247","countryisocode"
+"638","RE","248","countryisocode"
+"643","RU","249","countryisocode"
diff --git a/src/Eccube/Resource/doctrine/import_csv/ja/definition.yml b/src/Eccube/Resource/doctrine/import_csv/ja/definition.yml
index bd8383c3485..588b3553fd8 100644
--- a/src/Eccube/Resource/doctrine/import_csv/ja/definition.yml
+++ b/src/Eccube/Resource/doctrine/import_csv/ja/definition.yml
@@ -1,5 +1,8 @@
+- mtb_agent_protocol.csv
 - mtb_authority.csv
+- mtb_checkout_session_status.csv
 - mtb_country.csv
+- mtb_country_iso_code.csv
 - mtb_csv_type.csv
 - mtb_customer_order_status.csv
 - mtb_customer_status.csv
diff --git a/src/Eccube/Resource/doctrine/import_csv/ja/dtb_base_info.csv b/src/Eccube/Resource/doctrine/import_csv/ja/dtb_base_info.csv
index 95a7ffd2662..2e993540906 100644
--- a/src/Eccube/Resource/doctrine/import_csv/ja/dtb_base_info.csv
+++ b/src/Eccube/Resource/doctrine/import_csv/ja/dtb_base_info.csv
@@ -1 +1 @@
-id,country_id,pref_id,company_name,company_kana,postal_code,addr01,addr02,phone_number,business_hour,email01,email02,email03,email04,shop_name,shop_kana,shop_name_eng,update_date,good_traded,message,delivery_free_amount,delivery_free_quantity,option_mypage_order_status_display,option_nostock_hidden,option_favorite_product,option_product_delivery_fee,option_product_tax_rule,option_customer_activate,option_guest_purchase,option_remember_me,option_mail_notifier,authentication_key,option_point,basic_point_rate,point_conversion_rate,discriminator_type
+id,country_id,pref_id,company_name,company_kana,postal_code,addr01,addr02,phone_number,business_hour,email01,email02,email03,email04,shop_name,shop_kana,shop_name_eng,update_date,good_traded,message,delivery_free_amount,delivery_free_quantity,option_mypage_order_status_display,option_nostock_hidden,option_favorite_product,option_product_delivery_fee,option_product_tax_rule,option_customer_activate,option_guest_purchase,option_remember_me,option_mail_notifier,authentication_key,option_point,basic_point_rate,point_conversion_rate,discriminator_type,acp_checkout_enabled,ucp_checkout_enabled,ucp_catalog_requires_auth
diff --git a/src/Eccube/Resource/doctrine/import_csv/ja/mtb_agent_protocol.csv b/src/Eccube/Resource/doctrine/import_csv/ja/mtb_agent_protocol.csv
new file mode 100644
index 00000000000..575027df7fe
--- /dev/null
+++ b/src/Eccube/Resource/doctrine/import_csv/ja/mtb_agent_protocol.csv
@@ -0,0 +1,3 @@
+id,name,sort_no,discriminator_type
+"1","acp","1","agentprotocol"
+"2","ucp","2","agentprotocol"
diff --git a/src/Eccube/Resource/doctrine/import_csv/ja/mtb_checkout_session_status.csv b/src/Eccube/Resource/doctrine/import_csv/ja/mtb_checkout_session_status.csv
new file mode 100644
index 00000000000..5a90d4ad32d
--- /dev/null
+++ b/src/Eccube/Resource/doctrine/import_csv/ja/mtb_checkout_session_status.csv
@@ -0,0 +1,8 @@
+id,name,sort_no,discriminator_type
+"1","incomplete","1","checkoutsessionstatus"
+"2","ready","2","checkoutsessionstatus"
+"3","completed","3","checkoutsessionstatus"
+"4","canceled","4","checkoutsessionstatus"
+"5","expired","5","checkoutsessionstatus"
+"6","requires_action","6","checkoutsessionstatus"
+"7","in_progress","7","checkoutsessionstatus"
diff --git a/src/Eccube/Resource/doctrine/import_csv/ja/mtb_country_iso_code.csv b/src/Eccube/Resource/doctrine/import_csv/ja/mtb_country_iso_code.csv
new file mode 100644
index 00000000000..941bd5c983f
--- /dev/null
+++ b/src/Eccube/Resource/doctrine/import_csv/ja/mtb_country_iso_code.csv
@@ -0,0 +1,250 @@
+id,name,sort_no,discriminator_type
+"352","IS","1","countryisocode"
+"372","IE","2","countryisocode"
+"31","AZ","3","countryisocode"
+"4","AF","4","countryisocode"
+"840","US","5","countryisocode"
+"850","VI","6","countryisocode"
+"16","AS","7","countryisocode"
+"784","AE","8","countryisocode"
+"12","DZ","9","countryisocode"
+"32","AR","10","countryisocode"
+"533","AW","11","countryisocode"
+"8","AL","12","countryisocode"
+"51","AM","13","countryisocode"
+"660","AI","14","countryisocode"
+"24","AO","15","countryisocode"
+"28","AG","16","countryisocode"
+"20","AD","17","countryisocode"
+"887","YE","18","countryisocode"
+"826","GB","19","countryisocode"
+"86","IO","20","countryisocode"
+"92","VG","21","countryisocode"
+"376","IL","22","countryisocode"
+"380","IT","23","countryisocode"
+"368","IQ","24","countryisocode"
+"364","IR","25","countryisocode"
+"356","IN","26","countryisocode"
+"360","ID","27","countryisocode"
+"876","WF","28","countryisocode"
+"800","UG","29","countryisocode"
+"804","UA","30","countryisocode"
+"860","UZ","31","countryisocode"
+"858","UY","32","countryisocode"
+"218","EC","33","countryisocode"
+"818","EG","34","countryisocode"
+"233","EE","35","countryisocode"
+"231","ET","36","countryisocode"
+"232","ER","37","countryisocode"
+"222","SV","38","countryisocode"
+"36","AU","39","countryisocode"
+"40","AT","40","countryisocode"
+"248","AX","41","countryisocode"
+"512","OM","42","countryisocode"
+"528","NL","43","countryisocode"
+"288","GH","44","countryisocode"
+"132","CV","45","countryisocode"
+"831","GG","46","countryisocode"
+"328","GY","47","countryisocode"
+"398","KZ","48","countryisocode"
+"634","QA","49","countryisocode"
+"581","UM","50","countryisocode"
+"124","CA","51","countryisocode"
+"266","GA","52","countryisocode"
+"120","CM","53","countryisocode"
+"270","GM","54","countryisocode"
+"116","KH","55","countryisocode"
+"580","MP","56","countryisocode"
+"324","GN","57","countryisocode"
+"624","GW","58","countryisocode"
+"196","CY","59","countryisocode"
+"192","CU","60","countryisocode"
+"531","CW","61","countryisocode"
+"300","GR","62","countryisocode"
+"296","KI","63","countryisocode"
+"417","KG","64","countryisocode"
+"320","GT","65","countryisocode"
+"312","GP","66","countryisocode"
+"316","GU","67","countryisocode"
+"414","KW","68","countryisocode"
+"184","CK","69","countryisocode"
+"304","GL","70","countryisocode"
+"162","CX","71","countryisocode"
+"268","GE","72","countryisocode"
+"308","GD","73","countryisocode"
+"191","HR","74","countryisocode"
+"136","KY","75","countryisocode"
+"404","KE","76","countryisocode"
+"384","CI","77","countryisocode"
+"166","CC","78","countryisocode"
+"188","CR","79","countryisocode"
+"174","KM","80","countryisocode"
+"170","CO","81","countryisocode"
+"178","CG","82","countryisocode"
+"180","CD","83","countryisocode"
+"682","SA","84","countryisocode"
+"239","GS","85","countryisocode"
+"882","WS","86","countryisocode"
+"678","ST","87","countryisocode"
+"652","BL","88","countryisocode"
+"894","ZM","89","countryisocode"
+"666","PM","90","countryisocode"
+"674","SM","91","countryisocode"
+"663","MF","92","countryisocode"
+"694","SL","93","countryisocode"
+"262","DJ","94","countryisocode"
+"292","GI","95","countryisocode"
+"832","JE","96","countryisocode"
+"388","JM","97","countryisocode"
+"760","SY","98","countryisocode"
+"702","SG","99","countryisocode"
+"534","SX","100","countryisocode"
+"716","ZW","101","countryisocode"
+"756","CH","102","countryisocode"
+"752","SE","103","countryisocode"
+"729","SD","104","countryisocode"
+"744","SJ","105","countryisocode"
+"724","ES","106","countryisocode"
+"740","SR","107","countryisocode"
+"144","LK","108","countryisocode"
+"703","SK","109","countryisocode"
+"705","SI","110","countryisocode"
+"748","SZ","111","countryisocode"
+"690","SC","112","countryisocode"
+"226","GQ","113","countryisocode"
+"686","SN","114","countryisocode"
+"688","RS","115","countryisocode"
+"659","KN","116","countryisocode"
+"670","VC","117","countryisocode"
+"426","LS","118","countryisocode"
+"654","SH","119","countryisocode"
+"662","LC","120","countryisocode"
+"706","SO","121","countryisocode"
+"90","SB","122","countryisocode"
+"796","TC","123","countryisocode"
+"764","TH","124","countryisocode"
+"410","KR","125","countryisocode"
+"158","TW","126","countryisocode"
+"762","TJ","127","countryisocode"
+"834","TZ","128","countryisocode"
+"203","CZ","129","countryisocode"
+"148","TD","130","countryisocode"
+"140","CF","131","countryisocode"
+"156","CN","132","countryisocode"
+"788","TN","133","countryisocode"
+"408","KP","134","countryisocode"
+"152","CL","135","countryisocode"
+"798","TV","136","countryisocode"
+"208","DK","137","countryisocode"
+"276","DE","138","countryisocode"
+"768","TG","139","countryisocode"
+"772","TK","140","countryisocode"
+"214","DO","141","countryisocode"
+"212","DM","142","countryisocode"
+"780","TT","143","countryisocode"
+"795","TM","144","countryisocode"
+"792","TR","145","countryisocode"
+"776","TO","146","countryisocode"
+"566","NG","147","countryisocode"
+"520","NR","148","countryisocode"
+"516","NA","149","countryisocode"
+"10","AQ","150","countryisocode"
+"570","NU","151","countryisocode"
+"558","NI","152","countryisocode"
+"562","NE","153","countryisocode"
+"392","JP","154","countryisocode"
+"732","EH","155","countryisocode"
+"540","NC","156","countryisocode"
+"554","NZ","157","countryisocode"
+"524","NP","158","countryisocode"
+"574","NF","159","countryisocode"
+"578","NO","160","countryisocode"
+"334","HM","161","countryisocode"
+"48","BH","162","countryisocode"
+"332","HT","163","countryisocode"
+"586","PK","164","countryisocode"
+"336","VA","165","countryisocode"
+"591","PA","166","countryisocode"
+"548","VU","167","countryisocode"
+"44","BS","168","countryisocode"
+"598","PG","169","countryisocode"
+"60","BM","170","countryisocode"
+"585","PW","171","countryisocode"
+"600","PY","172","countryisocode"
+"52","BB","173","countryisocode"
+"275","PS","174","countryisocode"
+"348","HU","175","countryisocode"
+"50","BD","176","countryisocode"
+"626","TL","177","countryisocode"
+"612","PN","178","countryisocode"
+"242","FJ","179","countryisocode"
+"608","PH","180","countryisocode"
+"246","FI","181","countryisocode"
+"64","BT","182","countryisocode"
+"74","BV","183","countryisocode"
+"630","PR","184","countryisocode"
+"234","FO","185","countryisocode"
+"238","FK","186","countryisocode"
+"76","BR","187","countryisocode"
+"250","FR","188","countryisocode"
+"254","GF","189","countryisocode"
+"258","PF","190","countryisocode"
+"260","TF","191","countryisocode"
+"100","BG","192","countryisocode"
+"854","BF","193","countryisocode"
+"96","BN","194","countryisocode"
+"108","BI","195","countryisocode"
+"704","VN","196","countryisocode"
+"204","BJ","197","countryisocode"
+"862","VE","198","countryisocode"
+"112","BY","199","countryisocode"
+"84","BZ","200","countryisocode"
+"604","PE","201","countryisocode"
+"56","BE","202","countryisocode"
+"616","PL","203","countryisocode"
+"70","BA","204","countryisocode"
+"72","BW","205","countryisocode"
+"535","BQ","206","countryisocode"
+"68","BO","207","countryisocode"
+"620","PT","208","countryisocode"
+"344","HK","209","countryisocode"
+"340","HN","210","countryisocode"
+"584","MH","211","countryisocode"
+"446","MO","212","countryisocode"
+"807","MK","213","countryisocode"
+"450","MG","214","countryisocode"
+"175","YT","215","countryisocode"
+"454","MW","216","countryisocode"
+"466","ML","217","countryisocode"
+"470","MT","218","countryisocode"
+"474","MQ","219","countryisocode"
+"458","MY","220","countryisocode"
+"833","IM","221","countryisocode"
+"583","FM","222","countryisocode"
+"710","ZA","223","countryisocode"
+"728","SS","224","countryisocode"
+"104","MM","225","countryisocode"
+"484","MX","226","countryisocode"
+"480","MU","227","countryisocode"
+"478","MR","228","countryisocode"
+"508","MZ","229","countryisocode"
+"492","MC","230","countryisocode"
+"462","MV","231","countryisocode"
+"498","MD","232","countryisocode"
+"504","MA","233","countryisocode"
+"496","MN","234","countryisocode"
+"499","ME","235","countryisocode"
+"500","MS","236","countryisocode"
+"400","JO","237","countryisocode"
+"418","LA","238","countryisocode"
+"428","LV","239","countryisocode"
+"440","LT","240","countryisocode"
+"434","LY","241","countryisocode"
+"438","LI","242","countryisocode"
+"430","LR","243","countryisocode"
+"642","RO","244","countryisocode"
+"442","LU","245","countryisocode"
+"646","RW","246","countryisocode"
+"422","LB","247","countryisocode"
+"638","RE","248","countryisocode"
+"643","RU","249","countryisocode"
diff --git a/src/Eccube/Resource/locale/messages.en.yaml b/src/Eccube/Resource/locale/messages.en.yaml
index 3807b8b6380..22771af0744 100644
--- a/src/Eccube/Resource/locale/messages.en.yaml
+++ b/src/Eccube/Resource/locale/messages.en.yaml
@@ -1186,6 +1186,10 @@ admin.setting.shop.shop.option_point_rate: Point Return Rate
 admin.setting.shop.shop.option_point_conversion_rate: Point Conversion Rate
 admin.setting.shop.shop.ga: "Google Analytics"
 admin.setting.shop.shop.ga.tracking_id: "Tracking ID"
+admin.setting.shop.shop.agent_commerce: "Agentic Commerce"
+admin.setting.shop.shop.agent_commerce.description: "Enable checkout via AI agents (ChatGPT / Gemini, etc.). Discovery and catalog are always public; only checkout is controlled here. Checkout is not yet available in Japan, so normally leave these disabled."
+admin.setting.shop.shop.agent_commerce.acp_checkout_enabled: "Enable ACP checkout"
+admin.setting.shop.shop.agent_commerce.ucp_checkout_enabled: "Enable UCP checkout"
 
 #------------------------------------------------------------------------------------
 # Settings：Store Settings：Trade Law Settings
diff --git a/src/Eccube/Resource/locale/messages.ja.yaml b/src/Eccube/Resource/locale/messages.ja.yaml
index 96445e787c0..fb4ec95a305 100644
--- a/src/Eccube/Resource/locale/messages.ja.yaml
+++ b/src/Eccube/Resource/locale/messages.ja.yaml
@@ -1185,6 +1185,10 @@ admin.setting.shop.shop.option_point_rate: ポイント付与率
 admin.setting.shop.shop.option_point_conversion_rate: ポイント換算レート
 admin.setting.shop.shop.ga: "Googleアナリティクス設定"
 admin.setting.shop.shop.ga.tracking_id: "トラッキングID"
+admin.setting.shop.shop.agent_commerce: "エージェントコマース"
+admin.setting.shop.shop.agent_commerce.description: "AIエージェント (ChatGPT / Gemini 等) 経由のチェックアウトを有効化します。Discovery / カタログは常時公開され、ここでは checkout のみを制御します。checkout は日本未提供のため、通常は無効のままにしてください。"
+admin.setting.shop.shop.agent_commerce.acp_checkout_enabled: "ACP チェックアウトを有効にする"
+admin.setting.shop.shop.agent_commerce.ucp_checkout_enabled: "UCP チェックアウトを有効にする"
 
 #------------------------------------------------------------------------------------
 # 設定：店舗設定：特定商取引法設定
diff --git a/src/Eccube/Resource/template/admin/Setting/Shop/shop_master.twig b/src/Eccube/Resource/template/admin/Setting/Shop/shop_master.twig
index b30e83f8049..67ef3f96e25 100644
--- a/src/Eccube/Resource/template/admin/Setting/Shop/shop_master.twig
+++ b/src/Eccube/Resource/template/admin/Setting/Shop/shop_master.twig
@@ -373,6 +373,30 @@ file that was distributed with this source code.
                             </div>
                         </div>
                     </div>
+                    <div class="card rounded border-0 mb-4">
+                        <div class="card-header"><span>{{ 'admin.setting.shop.shop.agent_commerce'|trans }}</span></div>
+                        <div id="ex-shop-agent-commerce" class="card-body">
+                            <p class="text-muted">{{ 'admin.setting.shop.shop.agent_commerce.description'|trans }}</p>
+                            <div class="row mb-3">
+                                <div class="col-3">
+                                    <span>{{ 'admin.setting.shop.shop.agent_commerce.acp_checkout_enabled'|trans }}</span>
+                                </div>
+                                <div class="col mb-2">
+                                    {{ form_widget(form.acp_checkout_enabled) }}
+                                    {{ form_errors(form.acp_checkout_enabled) }}
+                                </div>
+                            </div>
+                            <div class="row mb-3">
+                                <div class="col-3">
+                                    <span>{{ 'admin.setting.shop.shop.agent_commerce.ucp_checkout_enabled'|trans }}</span>
+                                </div>
+                                <div class="col mb-2">
+                                    {{ form_widget(form.ucp_checkout_enabled) }}
+                                    {{ form_errors(form.ucp_checkout_enabled) }}
+                                </div>
+                            </div>
+                        </div>
+                    </div>
                 </div>
             </div>
         </div>
diff --git a/src/Eccube/Service/AgentCommerce/AddressMappingService.php b/src/Eccube/Service/AgentCommerce/AddressMappingService.php
new file mode 100644
index 00000000000..11c85d810aa
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/AddressMappingService.php
@@ -0,0 +1,159 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce;
+
+use Eccube\Entity\Customer;
+use Eccube\Entity\CustomerAddress;
+use Eccube\Entity\Master\Country;
+use Eccube\Entity\Master\Pref;
+use Eccube\Entity\Shipping;
+use Eccube\Repository\Master\CountryIsoCodeRepository;
+use Eccube\Repository\Master\PrefRepository;
+
+/**
+ * EC-CUBE の住所系エンティティ (Customer / CustomerAddress / Shipping) を
+ * ACP / UCP の住所 DTO へ写すためのマッピングサービス。
+ *
+ * - 国コードは Country.id (ISO 3166-1 numeric) を alpha-2 へ変換する。変換表は
+ *   マスタ mtb_country_iso_code (id=ISO numeric, name=alpha-2) で管理し、
+ *   CountryIsoCodeRepository 経由で解決する (コードにハードコードしない)。
+ * - region は Pref 名 (例: 東京都) をそのまま返す。
+ */
+class AddressMappingService
+{
+    public function __construct(
+        private readonly CountryIsoCodeRepository $countryIsoCodeRepository,
+        private readonly PrefRepository $prefRepository,
+    ) {
+    }
+
+    /**
+     * ISO 3166-1 numeric (mtb_country.id) を alpha-2 へ変換する。
+     * mtb_country_iso_code マスタに無い id / null は null を返す。
+     */
+    public function getAlpha2FromCountryId(?int $numericCountryId): ?string
+    {
+        if ($numericCountryId === null) {
+            return null;
+        }
+
+        return $this->countryIsoCodeRepository->find($numericCountryId)?->getName();
+    }
+
+    /**
+     * Pref から region 文字列 (都道府県名) を返す。null は null を返す。
+     */
+    public function getRegionFromPref(?Pref $pref): ?string
+    {
+        if ($pref === null) {
+            return null;
+        }
+
+        return $pref->getName();
+    }
+
+    /**
+     * region 文字列 (都道府県名) から Pref を逆引きする。
+     *
+     * UCP の postal address `region` は EC-CUBE では Pref 名 (例: 東京都) に対応する。
+     * ISO 3166-2:JP コード (JP-13 等) での指定は標準では解決せず、app/Customize での
+     * 拡張余地とする (本サービスを decoration して解決ロジックを差し替え可能)。
+     */
+    public function getPrefFromRegion(?string $region): ?Pref
+    {
+        if ($region === null || $region === '') {
+            return null;
+        }
+
+        return $this->prefRepository->findOneBy(['name' => $region]);
+    }
+
+    /**
+     * 住所系エンティティを ACP / UCP の住所 DTO 相当の配列へ写す。
+     *
+     * @return array{
+     *     family_name: ?string,
+     *     given_name: ?string,
+     *     family_name_kana: ?string,
+     *     given_name_kana: ?string,
+     *     company: ?string,
+     *     postal_code: ?string,
+     *     region: ?string,
+     *     address1: ?string,
+     *     address2: ?string,
+     *     country: ?string,
+     *     phone: ?string
+     * }
+     */
+    public function toAddressArray(Customer|CustomerAddress|Shipping $source): array
+    {
+        $country = $this->extractCountry($source);
+        $countryId = $country !== null ? $country->getId() : null;
+
+        return [
+            'family_name' => $this->callIfExists($source, 'getName01'),
+            'given_name' => $this->callIfExists($source, 'getName02'),
+            'family_name_kana' => $this->callIfExists($source, 'getKana01'),
+            'given_name_kana' => $this->callIfExists($source, 'getKana02'),
+            'company' => $this->callIfExists($source, 'getCompanyName'),
+            'postal_code' => $this->callIfExists($source, 'getPostalCode'),
+            'region' => $this->getRegionFromPref($this->extractPref($source)),
+            'address1' => $this->callIfExists($source, 'getAddr01'),
+            'address2' => $this->callIfExists($source, 'getAddr02'),
+            'country' => $this->getAlpha2FromCountryId($countryId),
+            'phone' => $this->extractPhoneNumber($source),
+        ];
+    }
+
+    private function extractCountry(Customer|CustomerAddress|Shipping $source): ?Country
+    {
+        // Customer / CustomerAddress / Shipping いずれも getCountry() を持つ。
+        return $source->getCountry();
+    }
+
+    private function extractPref(Customer|CustomerAddress|Shipping $source): ?Pref
+    {
+        // Customer / CustomerAddress / Shipping いずれも getPref() を持つ。
+        return $source->getPref();
+    }
+
+    /**
+     * 電話番号を取得する。
+     * Customer / CustomerAddress / Shipping いずれも getPhoneNumber() を持つ。
+     */
+    private function extractPhoneNumber(Customer|CustomerAddress|Shipping $source): ?string
+    {
+        return $source->getPhoneNumber();
+    }
+
+    /**
+     * 指定 getter が存在すれば呼び出して文字列(or null)を返す。存在しなければ null。
+     */
+    private function callIfExists(Customer|CustomerAddress|Shipping $source, string $method): ?string
+    {
+        if (!method_exists($source, $method)) {
+            return null;
+        }
+
+        try {
+            $value = $source->$method();
+        } catch (\TypeError) {
+            // 一部エンティティ (Shipping の getName01/getKana01 等) は getter の戻り型が
+            // 非 null の string だが、値が未設定だと TypeError になる。null 扱いにする。
+            return null;
+        }
+
+        return $value === null ? null : (string) $value;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/AgentCheckoutPurchaseFlowAdapter.php b/src/Eccube/Service/AgentCommerce/AgentCheckoutPurchaseFlowAdapter.php
new file mode 100644
index 00000000000..2512e601303
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/AgentCheckoutPurchaseFlowAdapter.php
@@ -0,0 +1,246 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce;
+
+use Doctrine\ORM\EntityManagerInterface;
+use Eccube\Entity\Cart;
+use Eccube\Entity\CartItem;
+use Eccube\Entity\Customer;
+use Eccube\Entity\Order;
+use Eccube\Repository\Master\AgentProtocolRepository;
+use Eccube\Repository\Master\PrefRepository;
+use Eccube\Repository\ProductClassRepository;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutAddress;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessage;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessageLevel;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutRequest;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutResult;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutErrorCode;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutException;
+use Eccube\Service\OrderHelper;
+use Eccube\Service\PurchaseFlow\PurchaseContext;
+use Eccube\Service\PurchaseFlow\PurchaseFlow;
+use Eccube\Service\PurchaseFlow\PurchaseFlowResult;
+
+/**
+ * エージェントチェックアウトの中立 DTO を、EC-CUBE の `Cart` → `Order` へ変換し、
+ * 既存の shopping flow (`eccube.purchase.flow.shopping`) で税・送料・在庫を再計算するアダプタ.
+ *
+ * 設計方針 (#6777):
+ * - **新規の購入フローは定義せず、通常購入と同一の shopping flow を再利用**する。
+ *   これにより税計算・送料・代引手数料・ポイント・在庫引当・受注番号採番のロジックを完全共有する。
+ * - 明細は `Cart`/`CartItem` を再利用 (エージェントはセッションを持たないため `CheckoutSession` が束ねる)。
+ * - 会員はゲスト購入を基準線とする ({@link \Eccube\Service\AgentCommerce\CheckoutSession\CustomerResolverInterface})。
+ *   会員が解決された場合は `Order` に紐づけ、ゲストは住所 DTO から transient な `Customer` を構築する。
+ *
+ * ビジネス系の結果 (在庫不足・販売停止・配送制限等) は shopping flow の warning/error を
+ * {@link AgentCheckoutMessage} へ写し取り、HTTP 200 + messages[] として返せる形にする。
+ */
+class AgentCheckoutPurchaseFlowAdapter
+{
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly OrderHelper $orderHelper,
+        private readonly ProductClassRepository $productClassRepository,
+        private readonly PrefRepository $prefRepository,
+        private readonly AgentProtocolRepository $agentProtocolRepository,
+        private readonly PurchaseFlow $shoppingPurchaseFlow,
+    ) {
+    }
+
+    /**
+     * 中立 DTO から `Cart`/`Order` を構築し、shopping flow で見積を計算する.
+     *
+     * 在庫不足等のビジネス系エラーは例外でなく {@link AgentCheckoutResult::$messages} に反映する。
+     * 不正な商品参照・空明細等のプロトコル系エラーは {@link AgentCheckoutException} を投げる。
+     */
+    public function buildOrder(AgentCheckoutRequest $request, ?Customer $member = null): AgentCheckoutResult
+    {
+        if ($request->lineItems === []) {
+            throw new AgentCheckoutException(AgentCheckoutErrorCode::EMPTY_LINE_ITEMS, 'line items must not be empty');
+        }
+
+        $Customer = $member ?? $this->buildGuestCustomer($request->buyer);
+
+        $Cart = $this->buildCart($request);
+
+        $Order = $this->orderHelper->createPurchaseProcessingOrder($Cart, $Customer);
+        $Cart->setPreOrderId($Order->getPreOrderId());
+
+        if ($request->protocolId !== null) {
+            $Order->setAgentProtocol($this->agentProtocolRepository->find($request->protocolId));
+        }
+        if ($request->agentId !== null) {
+            $Order->setAgentId($request->agentId);
+        }
+
+        $this->entityManager->flush();
+
+        $messages = $this->runFlow(fn (PurchaseContext $context) => $this->shoppingPurchaseFlow->validate($Order, $context), $Order, $member);
+        $this->entityManager->flush();
+
+        return new AgentCheckoutResult($Order, $messages, $Cart);
+    }
+
+    /**
+     * 在庫・ポイントを引き当て、受注番号を採番する (PurchaseFlow::prepare).
+     *
+     * EC-CUBE 通常購入の `PaymentMethod::apply()` 相当で、**決済オーソリの「前」**に実行する。
+     * ビジネス系エラー (在庫不足・販売制限等) は例外でなく messages[] に反映し、その場合は
+     * prepare を行わない。プロトコル系エラー (不正な商品参照等) は呼び出し前段で弾く。
+     *
+     * 注意: PurchaseFlow の StockReduceProcessor が EntityManager::lock() (悲観ロック) を使うため、
+     * **トランザクションがアクティブな状態で呼ぶこと**。トランザクション境界の管理 (および
+     * EMV-3DS 等の外部サイト遷移時の中断) は決済オーケストレーション層 (PaymentMethod 相当の
+     * 決済ハンドラ / controller) の責務とし、本アダプタ自身はトランザクションを開始しない
+     * (決済処理全体を 1 トランザクションで囲うと外部遷移型決済で破綻するため)。
+     */
+    public function prepare(Order $Order, ?Customer $member = null): AgentCheckoutResult
+    {
+        $messages = $this->runFlow(function (PurchaseContext $context) use ($Order): PurchaseFlowResult {
+            $result = $this->shoppingPurchaseFlow->validate($Order, $context);
+            if (!$result->hasError()) {
+                $this->shoppingPurchaseFlow->prepare($Order, $context);
+            }
+
+            return $result;
+        }, $Order, $member);
+
+        $this->entityManager->flush();
+
+        return new AgentCheckoutResult($Order, $messages);
+    }
+
+    /**
+     * 注文を確定する (PurchaseFlow::commit). 決済オーソリ/売上の「成功後」に呼ぶ.
+     *
+     * EC-CUBE 通常購入の `PaymentMethod::checkout()` 成功時相当。{@link prepare()} 済みであること、
+     * トランザクションがアクティブであることが前提。
+     */
+    public function commit(Order $Order, ?Customer $member = null): void
+    {
+        $context = new PurchaseContext(clone $Order, $member);
+        $this->shoppingPurchaseFlow->commit($Order, $context);
+        $this->entityManager->flush();
+    }
+
+    /**
+     * {@link prepare()} で引き当てた在庫・ポイントを戻す (PurchaseFlow::rollback).
+     *
+     * 決済オーソリ失敗・キャンセル時に呼ぶ (EC-CUBE 通常購入の `PaymentMethod::checkout()` 失敗時相当)。
+     */
+    public function rollback(Order $Order, ?Customer $member = null): void
+    {
+        $context = new PurchaseContext(clone $Order, $member);
+        $this->shoppingPurchaseFlow->rollback($Order, $context);
+        $this->entityManager->flush();
+    }
+
+    /**
+     * PurchaseFlow を実行し、warning/error を中立メッセージへ写し取る.
+     *
+     * @param callable(PurchaseContext): PurchaseFlowResult $flow
+     *
+     * @return array<int, AgentCheckoutMessage>
+     */
+    private function runFlow(callable $flow, Order $Order, ?Customer $member): array
+    {
+        $context = new PurchaseContext(clone $Order, $member);
+        $result = $flow($context);
+
+        $messages = [];
+        foreach ($result->getErrors() as $error) {
+            $messages[] = new AgentCheckoutMessage(AgentCheckoutMessageLevel::ERROR, (string) $error->getMessage());
+        }
+        foreach ($result->getWarning() as $warning) {
+            $messages[] = new AgentCheckoutMessage(AgentCheckoutMessageLevel::WARNING, (string) $warning->getMessage());
+        }
+
+        return $messages;
+    }
+
+    /**
+     * 中立明細から永続化された `Cart` を構築する.
+     */
+    private function buildCart(AgentCheckoutRequest $request): Cart
+    {
+        $Cart = new Cart();
+        // 合計は Order 側の shopping flow で再計算されるため、ここでは NOT NULL 制約を満たす初期値のみ設定する。
+        $Cart->setTotalPrice('0');
+        $Cart->setDeliveryFeeTotal('0');
+        // エージェント所有カートは Web ストアフロント (CartService) の解決対象から除外する。
+        // 会員帰属は Order 側 (OrderHelper) に持たせ、Cart の customer_id は常に NULL に保つ
+        // ことで、ログイン会員の Web カートに混入・操作されないようにする。
+        $Cart->setAgentOwned(true);
+
+        foreach ($request->lineItems as $lineItem) {
+            if ($lineItem->quantity < 1) {
+                throw new AgentCheckoutException(AgentCheckoutErrorCode::INVALID_QUANTITY, 'quantity must be positive');
+            }
+
+            $ProductClass = $this->productClassRepository->find($lineItem->productClassId);
+            if ($ProductClass === null) {
+                throw new AgentCheckoutException(AgentCheckoutErrorCode::PRODUCT_NOT_FOUND, sprintf('ProductClass #%d not found', $lineItem->productClassId));
+            }
+
+            $CartItem = new CartItem();
+            $CartItem
+                ->setQuantity((string) $lineItem->quantity)
+                ->setPrice((string) $ProductClass->getPrice02IncTax())
+                ->setProductClass($ProductClass);
+            $Cart->addCartItem($CartItem);
+            $CartItem->setCart($Cart);
+        }
+
+        $this->entityManager->persist($Cart);
+
+        return $Cart;
+    }
+
+    /**
+     * 住所 DTO から transient (非永続) な会員オブジェクトを構築する (ゲスト購入用).
+     *
+     * `OrderHelper::createPurchaseProcessingOrder()` は `Customer` のプロパティを `Order`/`Shipping`
+     * へコピーするため、id を持たない transient な `Customer` を渡すことでゲストの住所を反映できる。
+     */
+    private function buildGuestCustomer(?AgentCheckoutAddress $address): Customer
+    {
+        if ($address === null) {
+            throw new AgentCheckoutException(AgentCheckoutErrorCode::MISSING_ADDRESS, 'buyer address is required for guest checkout');
+        }
+
+        $Customer = new Customer();
+        $Customer
+            ->setName01((string) $address->name01)
+            ->setName02((string) $address->name02)
+            ->setKana01($address->kana01)
+            ->setKana02($address->kana02)
+            ->setCompanyName($address->companyName)
+            ->setEmail($address->email)
+            ->setPhonenumber($address->phoneNumber)
+            ->setPostalcode($address->postalCode)
+            ->setAddr01($address->addr01)
+            ->setAddr02($address->addr02);
+
+        if ($address->prefId !== null) {
+            $Pref = $this->prefRepository->find($address->prefId);
+            if ($Pref === null) {
+                throw new AgentCheckoutException(AgentCheckoutErrorCode::INVALID_PREF, sprintf('Pref #%d not found', $address->prefId));
+            }
+            $Customer->setPref($Pref);
+        }
+
+        return $Customer;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutAddress.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutAddress.php
new file mode 100644
index 00000000000..584e877bbcb
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutAddress.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+/**
+ * 購入者/配送先の住所 (プロトコル非依存の中立表現).
+ *
+ * `prefId` は EC-CUBE の `mtb_pref.id` (1-47)。プロトコル固有 Mapper が
+ * 共通基盤の `AddressMappingService` を用いて region 名等から解決する。
+ */
+final readonly class AgentCheckoutAddress
+{
+    public function __construct(
+        public ?string $name01 = null,
+        public ?string $name02 = null,
+        public ?string $kana01 = null,
+        public ?string $kana02 = null,
+        public ?string $companyName = null,
+        public ?string $postalCode = null,
+        public ?int $prefId = null,
+        public ?string $addr01 = null,
+        public ?string $addr02 = null,
+        public ?string $email = null,
+        public ?string $phoneNumber = null,
+    ) {
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionResult.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionResult.php
new file mode 100644
index 00000000000..f206cac8ca4
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionResult.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Entity\Order;
+
+/**
+ * complete 状態機械 ({@link AgentCheckoutCompletionService}) の結果 (プロトコル非依存).
+ *
+ * プロトコル層 (#6776 ACP / #6574 UCP) のマッパーがこの中立結果を各プロトコルのレスポンスへ写す:
+ * - `status` (正規化マスタ) → UCP `requires_escalation` / ACP `authentication_required` 等へ変換
+ * - `actionData` → UCP `continue_url` / ACP `authentication_metadata` の原資
+ * - `messages` → HTTP 200 + messages[] (ビジネス系エラー)
+ */
+final readonly class AgentCheckoutCompletionResult
+{
+    /**
+     * @param array<int, AgentCheckoutMessage> $messages  ビジネス系メッセージ (在庫不足・決済拒否等)
+     * @param array<string, mixed>             $actionData REQUIRES_ACTION/PENDING 時の中立データ
+     */
+    public function __construct(
+        public CheckoutSessionStatus $status,
+        public ?Order $order,
+        public array $messages = [],
+        public array $actionData = [],
+    ) {
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionService.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionService.php
new file mode 100644
index 00000000000..394807c8335
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionService.php
@@ -0,0 +1,241 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+use Doctrine\ORM\EntityManagerInterface;
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Customer;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Entity\Order;
+use Eccube\Repository\Master\CheckoutSessionStatusRepository;
+use Eccube\Service\AgentCommerce\AgentCheckoutPurchaseFlowAdapter;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutErrorCode;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutException;
+use Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerRegistry;
+use Eccube\Service\AgentCommerce\Payment\PaymentOutcome;
+use Eccube\Service\AgentCommerce\Payment\PaymentOutcomeStatus;
+
+/**
+ * エージェントチェックアウトの complete を「中断 → 再開」する状態機械として実行するオーケストレータ.
+ *
+ * 設計の核心 (#6777): 追加認証 (EMV-3DS) / 外部サイトへの buyer ハンドオフ (escalation) は
+ * エラーでなく complete が返す**正常な中間状態**であり、complete は冪等な単発呼び出しではなく
+ * 状態に応じて複数回呼ばれる状態機械である。本サービスは以下を core に集約する:
+ *
+ * - 在庫引当の保持/回収 (prepare で物理引当 → REQUIRES_ACTION/PENDING では rollback せず保持、
+ *   FAILED/期限切れで rollback)
+ * - CheckoutSession の正規化ステータス遷移
+ * - トランザクション境界 (各 complete 呼び出しを 1 トランザクションで確定。StockReduceProcessor の
+ *   悲観ロックに対応するため明示トランザクションで囲む)
+ *
+ * プロトコル controller (#6776 ACP / #6574 UCP) は本サービスへ委譲し、戻り値
+ * {@link AgentCheckoutCompletionResult} を各プロトコルのレスポンスへ変換する。
+ */
+class AgentCheckoutCompletionService
+{
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly AgentCheckoutPurchaseFlowAdapter $purchaseFlowAdapter,
+        private readonly AgentCheckoutPaymentHandlerRegistry $paymentHandlerRegistry,
+        private readonly CheckoutSessionStatusRepository $statusRepository,
+        private readonly CustomerResolverInterface $customerResolver,
+        private readonly int $escalationExpireMinutes,
+    ) {
+    }
+
+    /**
+     * セッションを確定する (状態機械の単一エントリ。初回 complete・再開 complete の双方を処理).
+     *
+     * @param array<string, mixed> $paymentData 決済の中立表現 (再開時は authentication_result 等を含む)
+     *
+     * @throws AgentCheckoutException 確定不能な状態 (終端・Order 未生成等)
+     */
+    public function complete(CheckoutSession $session, array $paymentData): AgentCheckoutCompletionResult
+    {
+        $statusId = $session->getStatus()?->getId();
+
+        // 冪等性: 既に完了済なら副作用を再実行せず既存 Order を返す。
+        if ($statusId === CheckoutSessionStatus::COMPLETED) {
+            return new AgentCheckoutCompletionResult($this->requireStatus(CheckoutSessionStatus::COMPLETED), $session->getOrder());
+        }
+
+        // 終端ステータスは確定不能 (プロトコル系エラー)。
+        if (in_array($statusId, [CheckoutSessionStatus::CANCELED, CheckoutSessionStatus::EXPIRED], true)) {
+            throw new AgentCheckoutException(AgentCheckoutErrorCode::INVALID_SESSION_STATE, 'The checkout session is in a terminal state and cannot be completed.');
+        }
+
+        $order = $session->getOrder();
+        if ($order === null) {
+            throw new AgentCheckoutException(AgentCheckoutErrorCode::INVALID_SESSION_STATE, 'The checkout session has no order to complete.');
+        }
+
+        $member = $this->customerResolver->resolve($session);
+        $isResume = in_array($statusId, [CheckoutSessionStatus::REQUIRES_ACTION, CheckoutSessionStatus::IN_PROGRESS], true);
+
+        $connection = $this->entityManager->getConnection();
+        $connection->beginTransaction();
+        try {
+            $result = $this->runStateMachine($session, $order, $member, $paymentData, $isResume);
+            $this->entityManager->flush();
+            $connection->commit();
+
+            return $result;
+        } catch (\Throwable $e) {
+            $connection->rollBack();
+
+            throw $e;
+        }
+    }
+
+    /**
+     * 状態機械の本体 (トランザクション内で実行される).
+     *
+     * @param array<string, mixed> $paymentData
+     */
+    private function runStateMachine(CheckoutSession $session, Order $order, ?Customer $member, array $paymentData, bool $isResume): AgentCheckoutCompletionResult
+    {
+        // 初回 complete: 在庫引当・受注番号採番 (PROCESSING のまま)。
+        // 再開 complete: 引当は初回で済んでいるため再 prepare しない。
+        if (!$isResume) {
+            $prepareResult = $this->purchaseFlowAdapter->prepare($order, $member);
+            if ($prepareResult->hasError()) {
+                // ビジネス系エラー (在庫不足等): 確定せず messages[] を返す (status 据置)。
+                return new AgentCheckoutCompletionResult($this->requireCurrentStatus($session), null, $prepareResult->messages);
+            }
+        }
+
+        $handler = $this->paymentHandlerRegistry->resolveForOrder($order);
+
+        // 決済ハンドラ未登録 (代引・無償等) は与信不要のためそのまま確定する。
+        if ($handler === null) {
+            return $this->commitOrder($session, $order, $member);
+        }
+
+        $outcome = $handler->authorize($order, $paymentData);
+
+        switch ($outcome->status) {
+            case PaymentOutcomeStatus::COMPLETED:
+                $capture = $handler->capture($order, $paymentData);
+                if ($capture->status !== PaymentOutcomeStatus::COMPLETED) {
+                    return $this->failOrder($session, $order, $member, $capture);
+                }
+                $this->mergePaymentData($session, $capture->metadata);
+
+                return $this->commitOrder($session, $order, $member);
+
+            case PaymentOutcomeStatus::REQUIRES_ACTION:
+                return $this->holdForAction($session, $outcome, CheckoutSessionStatus::REQUIRES_ACTION);
+
+            case PaymentOutcomeStatus::PENDING:
+                return $this->holdForAction($session, $outcome, CheckoutSessionStatus::IN_PROGRESS);
+
+            case PaymentOutcomeStatus::FAILED:
+            default:
+                return $this->failOrder($session, $order, $member, $outcome);
+        }
+    }
+
+    /**
+     * 注文を確定し completed へ遷移する.
+     */
+    private function commitOrder(CheckoutSession $session, Order $order, ?Customer $member): AgentCheckoutCompletionResult
+    {
+        $this->purchaseFlowAdapter->commit($order, $member);
+        $session
+            ->setOrder($order)
+            ->setStatus($this->requireStatus(CheckoutSessionStatus::COMPLETED));
+
+        return new AgentCheckoutCompletionResult($session->getStatus() ?? $this->requireStatus(CheckoutSessionStatus::COMPLETED), $order);
+    }
+
+    /**
+     * 追加対応待ち (REQUIRES_ACTION) / 非同期確定待ち (IN_PROGRESS) として在庫を引当のまま保持する.
+     *
+     * 在庫は rollback せず、payment_data と actionData を永続化してリクエスト跨ぎで再開可能にする。
+     */
+    private function holdForAction(CheckoutSession $session, PaymentOutcome $outcome, int $statusId): AgentCheckoutCompletionResult
+    {
+        $this->mergePaymentData($session, $outcome->metadata);
+        if ($outcome->actionData !== []) {
+            $metadata = $session->getMetadata() ?? [];
+            $metadata['payment_action'] = $outcome->actionData;
+            $session->setMetadata($metadata);
+        }
+        $this->extendExpiry($session);
+        $session->setStatus($this->requireStatus($statusId));
+
+        return new AgentCheckoutCompletionResult($session->getStatus() ?? $this->requireStatus($statusId), null, [], $outcome->actionData);
+    }
+
+    /**
+     * 決済失敗時: 引当を rollback し、再試行可否でステータスを分岐する.
+     *
+     * retryable (card declined 等) は ready に戻して再 complete を許し、unrecoverable は canceled とする。
+     */
+    private function failOrder(CheckoutSession $session, Order $order, ?Customer $member, PaymentOutcome $outcome): AgentCheckoutCompletionResult
+    {
+        $this->purchaseFlowAdapter->rollback($order, $member);
+
+        $statusId = $outcome->retryable ? CheckoutSessionStatus::READY : CheckoutSessionStatus::CANCELED;
+        $session->setStatus($this->requireStatus($statusId));
+
+        $message = new AgentCheckoutMessage(
+            AgentCheckoutMessageLevel::ERROR,
+            $outcome->errorMessage !== null && $outcome->errorMessage !== '' ? $outcome->errorMessage : (string) $outcome->errorCode,
+        );
+
+        return new AgentCheckoutCompletionResult($session->getStatus() ?? $this->requireStatus($statusId), null, [$message]);
+    }
+
+    /**
+     * payment_data に PSP 参照等をマージする (token はハンドラ側でマスキング済).
+     *
+     * @param array<string, mixed> $metadata
+     */
+    private function mergePaymentData(CheckoutSession $session, array $metadata): void
+    {
+        if ($metadata === []) {
+            return;
+        }
+        $session->setPaymentData(array_merge($session->getPaymentData() ?? [], $metadata));
+    }
+
+    /**
+     * 在庫を確保したまま再開を待つ期限を再設定する (eccube.yaml の escalation 期限).
+     */
+    private function extendExpiry(CheckoutSession $session): void
+    {
+        $session->setExpiresAt((new \DateTime())->modify(sprintf('+%d minutes', $this->escalationExpireMinutes)));
+    }
+
+    private function requireCurrentStatus(CheckoutSession $session): CheckoutSessionStatus
+    {
+        $status = $session->getStatus();
+        if ($status === null) {
+            throw new AgentCheckoutException(AgentCheckoutErrorCode::INVALID_SESSION_STATE, 'The checkout session has no status.');
+        }
+
+        return $status;
+    }
+
+    private function requireStatus(int $id): CheckoutSessionStatus
+    {
+        $status = $this->statusRepository->find($id);
+        if ($status === null) {
+            throw new \RuntimeException(sprintf('CheckoutSessionStatus #%d is not found. Run the agent-commerce master data migration.', $id));
+        }
+
+        return $status;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutLineItem.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutLineItem.php
new file mode 100644
index 00000000000..16dfa3ab7c2
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutLineItem.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+/**
+ * チェックアウトの明細 1 行 (プロトコル非依存の中立表現).
+ *
+ * プロトコル固有 Mapper (#6776 ACP / #6574 UCP) が、各プロトコルの variant 識別子を
+ * EC-CUBE の `ProductClass.id` へ解決した上で本 DTO を組み立てる。
+ */
+final readonly class AgentCheckoutLineItem
+{
+    public function __construct(
+        public int $productClassId,
+        public int $quantity,
+    ) {
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutMessage.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutMessage.php
new file mode 100644
index 00000000000..5cdefb4302c
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutMessage.php
@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+/**
+ * ビジネスロジックの結果メッセージ (中立表現).
+ */
+final readonly class AgentCheckoutMessage
+{
+    public function __construct(
+        public AgentCheckoutMessageLevel $level,
+        public string $message,
+    ) {
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutMessageLevel.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutMessageLevel.php
new file mode 100644
index 00000000000..39989ec96d1
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutMessageLevel.php
@@ -0,0 +1,28 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+/**
+ * ビジネスロジックの結果メッセージのレベル.
+ *
+ * ACP/UCP 共通の「2 系統エラー」のうち、ビジネス系 (HTTP 200 + messages[]) に対応する。
+ * プロトコル固有の表現 (ACP の `MessageError`/`MessageWarning`/`MessageInfo` 等) への変換は
+ * プロトコル層 (#6776/#6574) で行う。
+ */
+enum AgentCheckoutMessageLevel: string
+{
+    case ERROR = 'error';
+    case WARNING = 'warning';
+    case INFO = 'info';
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutRequest.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutRequest.php
new file mode 100644
index 00000000000..0d1506e7870
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutRequest.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+/**
+ * チェックアウト見積要求 (プロトコル非依存の中立表現).
+ *
+ * 明細と購入者/配送先住所を保持する。`AgentCheckoutPurchaseFlowAdapter` がこれを
+ * EC-CUBE の `Cart` → `Order` へ変換し、shopping flow で税・送料・在庫を再計算する。
+ */
+final readonly class AgentCheckoutRequest
+{
+    /**
+     * @param array<int, AgentCheckoutLineItem> $lineItems
+     * @param int|null                          $protocolId プロトコル種別マスタ (`AgentProtocol::ACP` 等) の id
+     */
+    public function __construct(
+        public array $lineItems,
+        public ?AgentCheckoutAddress $buyer = null,
+        public string $currencyCode = 'JPY',
+        public ?int $protocolId = null,
+        public ?string $agentId = null,
+    ) {
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutResult.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutResult.php
new file mode 100644
index 00000000000..c36a3a69a1d
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/AgentCheckoutResult.php
@@ -0,0 +1,60 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+use Eccube\Entity\Cart;
+use Eccube\Entity\Order;
+
+/**
+ * チェックアウト見積/確定の結果.
+ *
+ * 再計算後の `Order` (税・送料・手数料・合計が確定済) と、ビジネス系メッセージ
+ * (在庫不足・販売停止・配送制限等) を保持する。
+ * `buildOrder` の見積時は紐付け元の `Cart` も併せて返す (CheckoutSession の cart_id 設定・
+ * pre_order_id 整合性チェック用)。確定 (prepare) 時は null。
+ */
+final readonly class AgentCheckoutResult
+{
+    /**
+     * @param array<int, AgentCheckoutMessage> $messages
+     */
+    public function __construct(
+        public Order $order,
+        public array $messages = [],
+        public ?Cart $cart = null,
+    ) {
+    }
+
+    public function hasError(): bool
+    {
+        foreach ($this->messages as $message) {
+            if ($message->level === AgentCheckoutMessageLevel::ERROR) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public function hasWarning(): bool
+    {
+        foreach ($this->messages as $message) {
+            if ($message->level === AgentCheckoutMessageLevel::WARNING) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/CustomerResolverInterface.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/CustomerResolverInterface.php
new file mode 100644
index 00000000000..96f5cf6be9a
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/CustomerResolverInterface.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Customer;
+
+/**
+ * チェックアウトセッションに紐づく会員 (Customer) を解決する seam.
+ *
+ * エージェントはブラウザセッション (form_login) を持たないため、会員 ID 連携は
+ * 「OAuth2 トークン → Customer 解決」で行う。会員 ID 連携の実体は eccube-api4 の
+ * Customer authorization_code grant に依存する ([EC-CUBE/eccube-api4#189]) ため、
+ * 標準実装 ({@link GuestCustomerResolver}) は常に null (ゲスト購入) を返す。
+ *
+ * 会員解決を有効化する場合は本インターフェイスの実装を `app/Customize` 等で差し替える。
+ */
+interface CustomerResolverInterface
+{
+    /**
+     * セッションから会員を解決する. ゲスト購入の場合は null.
+     */
+    public function resolve(CheckoutSession $session): ?Customer;
+}
diff --git a/src/Eccube/Service/AgentCommerce/CheckoutSession/GuestCustomerResolver.php b/src/Eccube/Service/AgentCommerce/CheckoutSession/GuestCustomerResolver.php
new file mode 100644
index 00000000000..27b721b8970
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/CheckoutSession/GuestCustomerResolver.php
@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\CheckoutSession;
+
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Customer;
+
+/**
+ * 標準実装: 常にゲスト購入 (会員解決なし) として null を返す.
+ *
+ * 会員 ID 連携 ([EC-CUBE/eccube-api4#189]) が landing するまでの既定挙動。
+ */
+class GuestCustomerResolver implements CustomerResolverInterface
+{
+    public function resolve(CheckoutSession $session): ?Customer
+    {
+        return null;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Exception/AgentCheckoutErrorCode.php b/src/Eccube/Service/AgentCommerce/Exception/AgentCheckoutErrorCode.php
new file mode 100644
index 00000000000..32ebdfa628c
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Exception/AgentCheckoutErrorCode.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Exception;
+
+/**
+ * エージェントチェックアウトのエラーコード分類.
+ *
+ * ACP/UCP 共通の「2 系統エラー」のうち、ここで表すのは主に **プロトコル系**
+ * (HTTP 4xx/5xx + Error) に対応する不正要求・処理不能を分類するためのもの。
+ * 在庫切れ・販売停止等の **ビジネス系** (HTTP 200 + messages[]) は本コードではなく
+ * {@link \Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessage} で表現する。
+ *
+ * HTTP ステータス / messages[] への具体的な変換アダプタはプロトコル層 (#6776/#6574) が担う。
+ */
+enum AgentCheckoutErrorCode: string
+{
+    /** 明細が空. */
+    case EMPTY_LINE_ITEMS = 'empty_line_items';
+
+    /** 指定された商品 (ProductClass) が見つからない. */
+    case PRODUCT_NOT_FOUND = 'product_not_found';
+
+    /** 数量が不正 (0 以下等). */
+    case INVALID_QUANTITY = 'invalid_quantity';
+
+    /** 購入者/配送先住所が不足している. */
+    case MISSING_ADDRESS = 'missing_address';
+
+    /** 指定された都道府県 (Pref) が見つからない. */
+    case INVALID_PREF = 'invalid_pref';
+
+    /** セッションが確定不能な状態 (期限切れ・取消済等). */
+    case INVALID_SESSION_STATE = 'invalid_session_state';
+}
diff --git a/src/Eccube/Service/AgentCommerce/Exception/AgentCheckoutException.php b/src/Eccube/Service/AgentCommerce/Exception/AgentCheckoutException.php
new file mode 100644
index 00000000000..b1c2f354081
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Exception/AgentCheckoutException.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Exception;
+
+/**
+ * エージェントチェックアウトのプロトコル系エラー.
+ *
+ * 不正要求・処理不能を表す。HTTP ステータスや messages[] への変換はプロトコル層が行う。
+ */
+class AgentCheckoutException extends \RuntimeException
+{
+    public function __construct(
+        private readonly AgentCheckoutErrorCode $errorCode,
+        string $message = '',
+        ?\Throwable $previous = null,
+    ) {
+        parent::__construct($message !== '' ? $message : $errorCode->value, 0, $previous);
+    }
+
+    public function getErrorCode(): AgentCheckoutErrorCode
+    {
+        return $this->errorCode;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Exception/IdempotencyConflictException.php b/src/Eccube/Service/AgentCommerce/Exception/IdempotencyConflictException.php
new file mode 100644
index 00000000000..94a72f39d88
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Exception/IdempotencyConflictException.php
@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Exception;
+
+/**
+ * Idempotency-Key の競合 (HTTP 409 相当).
+ *
+ * - 同一キーが**異なるリクエスト内容**で再利用された場合
+ * - 同一キーの**処理がまだ進行中** (並行リクエスト) の場合
+ *
+ * いずれもプロトコル層で HTTP 409 Conflict へ変換する。
+ */
+class IdempotencyConflictException extends \RuntimeException
+{
+}
diff --git a/src/Eccube/Service/AgentCommerce/Exception/UcpSignatureException.php b/src/Eccube/Service/AgentCommerce/Exception/UcpSignatureException.php
new file mode 100644
index 00000000000..4ae98dd1eb9
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Exception/UcpSignatureException.php
@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Exception;
+
+/**
+ * UCP の RFC 9421 署名検証に失敗したことを表す例外.
+ *
+ * プロトコル系エラー (HTTP 401 等) に変換される。署名欠落・不正・鍵不一致・
+ * Content-Digest 不一致・プロファイル取得失敗・許可外ドメインを含む。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP signatures.md
+ */
+class UcpSignatureException extends \RuntimeException
+{
+}
diff --git a/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentOption.php b/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentOption.php
new file mode 100644
index 00000000000..386f926a795
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentOption.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Fulfillment;
+
+/**
+ * 配送方法の選択肢 (中立表現).
+ *
+ * EC-CUBE の `Delivery` 1 件に対応し、配送先 (`Pref`) に対する送料 (`shippingFeeMinor`)、
+ * 配送日数 (`estimatedDeliveryDays`)、利用可能な支払方法 (`paymentOptions`) を保持する。
+ * 金額はすべて minor unit (整数) で表現する。
+ */
+final readonly class FulfillmentOption
+{
+    /**
+     * @param array<int, FulfillmentPaymentOption> $paymentOptions
+     */
+    public function __construct(
+        public int $deliveryId,
+        public string $name,
+        public int $shippingFeeMinor,
+        public string $currencyCode,
+        public ?int $estimatedDeliveryDays,
+        public array $paymentOptions,
+    ) {
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentOptionMapperInterface.php b/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentOptionMapperInterface.php
new file mode 100644
index 00000000000..4809605c08a
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentOptionMapperInterface.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Fulfillment;
+
+use Eccube\Entity\Master\Pref;
+use Eccube\Entity\ProductClass;
+
+/**
+ * 注文明細と配送先から、エージェントへ提示する配送方法の選択肢を組み立てる.
+ *
+ * 標準実装を `app/Customize` で差し替え可能にするための seam。
+ */
+interface FulfillmentOptionMapperInterface
+{
+    /**
+     * 配送先 `Pref` に対して利用可能な配送方法の選択肢を返す.
+     *
+     * @param iterable<ProductClass> $productClasses 対象明細の商品規格
+     *
+     * @return array<int, FulfillmentOption>
+     */
+    public function mapForDestination(iterable $productClasses, Pref $pref, string $currencyCode = 'JPY'): array;
+}
diff --git a/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentPaymentOption.php b/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentPaymentOption.php
new file mode 100644
index 00000000000..3fd7b9bebcb
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Fulfillment/FulfillmentPaymentOption.php
@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Fulfillment;
+
+/**
+ * 配送方法に紐づく支払方法の選択肢 (中立表現).
+ *
+ * 代引手数料等は `chargeMinor` に minor unit (整数) で保持する。
+ */
+final readonly class FulfillmentPaymentOption
+{
+    public function __construct(
+        public int $paymentId,
+        public string $method,
+        public int $chargeMinor,
+        public string $currencyCode,
+    ) {
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Fulfillment/StandardFulfillmentOptionMapper.php b/src/Eccube/Service/AgentCommerce/Fulfillment/StandardFulfillmentOptionMapper.php
new file mode 100644
index 00000000000..4075743c00c
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Fulfillment/StandardFulfillmentOptionMapper.php
@@ -0,0 +1,152 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Fulfillment;
+
+use Eccube\Entity\Delivery;
+use Eccube\Entity\Master\Pref;
+use Eccube\Entity\Master\SaleType;
+use Eccube\Entity\ProductClass;
+use Eccube\Repository\DeliveryFeeRepository;
+use Eccube\Repository\DeliveryRepository;
+use Eccube\Service\AgentCommerce\MinorUnitConverter;
+
+/**
+ * EC-CUBE 標準のマスタ (Delivery / DeliveryFee / Payment / DeliveryDuration) から
+ * 配送方法の選択肢を組み立てる標準実装.
+ *
+ * - 利用可能な `Delivery` は明細の `SaleType` から `DeliveryRepository::getDeliveries()` で絞る。
+ * - 送料は配送先 `Pref` と `Delivery` の `DeliveryFee` から解決 (該当行が無ければ配送不可として除外)。
+ * - 代引等の手数料は `Delivery` の `PaymentOption` → `Payment::getCharge()` から解決。
+ * - 配送日数は明細横断の `DeliveryDuration::getDuration()` の最大値 (負数=お取り寄せが 1 件でもあれば未確定として null)。
+ *
+ * 複数 `SaleType` をまたぐ注文 (複数配送分割) の厳密な表現は本標準実装の対象外であり、
+ * `app/Customize` での差し替えに委ねる (フラットな選択肢一覧として返す)。
+ */
+class StandardFulfillmentOptionMapper implements FulfillmentOptionMapperInterface
+{
+    public function __construct(
+        private readonly DeliveryRepository $deliveryRepository,
+        private readonly DeliveryFeeRepository $deliveryFeeRepository,
+        private readonly MinorUnitConverter $minorUnitConverter,
+    ) {
+    }
+
+    public function mapForDestination(iterable $productClasses, Pref $pref, string $currencyCode = 'JPY'): array
+    {
+        $items = is_array($productClasses) ? $productClasses : iterator_to_array($productClasses);
+
+        $saleTypes = $this->extractSaleTypes($items);
+        if ($saleTypes === []) {
+            return [];
+        }
+
+        $estimatedDeliveryDays = $this->resolveDeliveryDays($items);
+
+        $options = [];
+        foreach ($this->deliveryRepository->getDeliveries($saleTypes) as $Delivery) {
+            $DeliveryFee = $this->deliveryFeeRepository->findOneBy([
+                'Delivery' => $Delivery,
+                'Pref' => $pref,
+            ]);
+            if ($DeliveryFee === null) {
+                // 配送先に対する送料設定が無い = この配送方法では届けられない。
+                continue;
+            }
+
+            $options[] = new FulfillmentOption(
+                deliveryId: (int) $Delivery->getId(),
+                name: (string) $Delivery->getName(),
+                shippingFeeMinor: $this->minorUnitConverter->toMinorUnits($DeliveryFee->getFee() ?? '0', $currencyCode),
+                currencyCode: $currencyCode,
+                estimatedDeliveryDays: $estimatedDeliveryDays,
+                paymentOptions: $this->resolvePaymentOptions($Delivery, $currencyCode),
+            );
+        }
+
+        return $options;
+    }
+
+    /**
+     * 明細から重複を除いた SaleType の一覧を取得する.
+     *
+     * @param array<int, ProductClass> $items
+     *
+     * @return array<int, SaleType>
+     */
+    private function extractSaleTypes(array $items): array
+    {
+        $saleTypes = [];
+        foreach ($items as $ProductClass) {
+            $SaleType = $ProductClass->getSaleType();
+            if ($SaleType === null) {
+                continue;
+            }
+            $saleTypes[(int) $SaleType->getId()] = $SaleType;
+        }
+
+        return array_values($saleTypes);
+    }
+
+    /**
+     * 明細横断の配送日数 (最大値) を返す.
+     *
+     * お取り寄せ (duration < 0) が 1 件でもあれば未確定として null を返す。
+     * 配送日数の設定が皆無の場合も null。
+     *
+     * @param array<int, ProductClass> $items
+     */
+    private function resolveDeliveryDays(array $items): ?int
+    {
+        $maxDays = null;
+        foreach ($items as $ProductClass) {
+            $DeliveryDuration = $ProductClass->getDeliveryDuration();
+            if ($DeliveryDuration === null) {
+                continue;
+            }
+            $duration = $DeliveryDuration->getDuration();
+            if ($duration < 0) {
+                return null;
+            }
+            if ($maxDays === null || $duration > $maxDays) {
+                $maxDays = $duration;
+            }
+        }
+
+        return $maxDays;
+    }
+
+    /**
+     * 配送方法に紐づく (表示可能な) 支払方法の選択肢を返す.
+     *
+     * @return array<int, FulfillmentPaymentOption>
+     */
+    private function resolvePaymentOptions(Delivery $Delivery, string $currencyCode): array
+    {
+        $paymentOptions = [];
+        foreach ($Delivery->getPaymentOptions() as $PaymentOption) {
+            $Payment = $PaymentOption->getPayment();
+            if ($Payment === null || !$Payment->isVisible()) {
+                continue;
+            }
+            $paymentOptions[] = new FulfillmentPaymentOption(
+                paymentId: (int) $Payment->getId(),
+                method: (string) $Payment->getMethod(),
+                chargeMinor: $this->minorUnitConverter->toMinorUnits($Payment->getCharge() ?? '0', $currencyCode),
+                currencyCode: $currencyCode,
+            );
+        }
+
+        return $paymentOptions;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Idempotency/AgentCheckoutIdempotencyStore.php b/src/Eccube/Service/AgentCommerce/Idempotency/AgentCheckoutIdempotencyStore.php
new file mode 100644
index 00000000000..3b281222918
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Idempotency/AgentCheckoutIdempotencyStore.php
@@ -0,0 +1,169 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Idempotency;
+
+use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
+use Doctrine\ORM\EntityManagerInterface;
+use Eccube\Entity\AgentCheckoutIdempotency;
+use Eccube\Repository\AgentCheckoutIdempotencyRepository;
+use Eccube\Service\AgentCommerce\Exception\IdempotencyConflictException;
+
+/**
+ * エージェントチェックアウトの Idempotency-Key 処理 (DB 一意制約ベース).
+ *
+ * 状態変更操作 (complete 等) で `Idempotency-Key` ヘッダが付与された場合、初回はハンドラを実行し
+ * 結果を `dtb_agent_checkout_idempotency` へ保存する。同一キーの再送はハンドラを再実行せず保存済み
+ * レスポンスをリプレイする (副作用の再実行なし)。
+ *
+ * **`(idempotency_key, subject)` の DB 一意制約**で直列化するため、Redis 等の共有キャッシュや
+ * ノードローカルな分散ロックに依存せず、**マルチインスタンス (AWS 等) でも単一の共有 DB だけで**
+ * 並行・越境の二重実行を防ぐ。`subject` は認証済みエージェント識別子で名前空間化する。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP checkout-rest.md (Idempotency-Key)
+ */
+class AgentCheckoutIdempotencyStore
+{
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly AgentCheckoutIdempotencyRepository $repository,
+    ) {
+    }
+
+    /**
+     * Idempotency-Key を考慮してハンドラを実行する.
+     *
+     * @param string|null                                                 $key         Idempotency-Key ヘッダ値 (null/空ならキー無しとして都度実行)
+     * @param string                                                      $requestHash リクエスト内容のハッシュ (異パラメータ再利用検知用)
+     * @param callable(): array{status: int, body: array<string, mixed>} $compute     初回に実行するハンドラ
+     * @param string|null                                                 $subject     認証済み主体 (UCP-Agent profile 等)。未認証は null
+     *
+     * @return array{status: int, body: array<string, mixed>, replayed: bool}
+     *
+     * @throws IdempotencyConflictException 同一キーの異パラメータ再利用、または処理中の並行リクエスト
+     */
+    public function execute(?string $key, string $requestHash, callable $compute, ?string $subject = null): array
+    {
+        if ($key === null || $key === '') {
+            $result = $compute();
+
+            return ['status' => $result['status'], 'body' => $result['body'], 'replayed' => false];
+        }
+
+        $subjectKey = $subject ?? '';
+
+        // 既存記録があればリプレイ / 競合 / 処理中を判定する (逐次再送はここで完結)。
+        $existing = $this->repository->findOneByKeyAndSubject($key, $subjectKey);
+        if ($existing !== null) {
+            return $this->replay($existing->getRequestHash(), $existing->hasResponse(), (int) $existing->getResponseStatus(), $existing->getResponseBody() ?? [], $requestHash);
+        }
+
+        // 予約行を INSERT。一意制約で並行・越境の二重実行を直列化する。
+        $reservation = (new AgentCheckoutIdempotency())
+            ->setIdempotencyKey($key)
+            ->setSubject($subjectKey)
+            ->setRequestHash($requestHash);
+        try {
+            $this->entityManager->persist($reservation);
+            $this->entityManager->flush();
+        } catch (UniqueConstraintViolationException) {
+            // 並行する別リクエストが先に予約した (flush 失敗で EM は閉じるため DBAL で直接読む)。
+            return $this->replayFromDbal($key, $subjectKey, $requestHash);
+        }
+
+        // 予約を獲得 → compute を実行。失敗時は予約を消して再試行可能にする。
+        try {
+            $result = $compute();
+        } catch (\Throwable $e) {
+            $this->deleteReservation($key, $subjectKey);
+
+            throw $e;
+        }
+
+        $reservation->setResponseStatus($result['status'])->setResponseBody($result['body']);
+        $this->entityManager->flush();
+
+        return ['status' => $result['status'], 'body' => $result['body'], 'replayed' => false];
+    }
+
+    /**
+     * リクエスト内容から安定したハッシュを生成する (キー再利用検知用).
+     *
+     * @param array<string, mixed> $payload
+     */
+    public function hashRequest(array $payload): string
+    {
+        // キーの並び順に依存しない安定したハッシュにする (同一内容・異キー順を同一リクエストと扱う)。
+        ksort($payload);
+
+        return hash('sha256', (string) json_encode($payload, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE));
+    }
+
+    /**
+     * 既存記録から リプレイ結果を返す。異パラメータ再利用・処理中は競合例外.
+     *
+     * @param array<string, mixed> $storedBody
+     *
+     * @return array{status: int, body: array<string, mixed>, replayed: bool}
+     */
+    private function replay(string $storedHash, bool $hasResponse, int $storedStatus, array $storedBody, string $requestHash): array
+    {
+        if ($storedHash !== $requestHash) {
+            throw new IdempotencyConflictException('Idempotency-Key was reused with different request parameters.');
+        }
+        if (!$hasResponse) {
+            throw new IdempotencyConflictException('A request with the same Idempotency-Key is currently being processed.');
+        }
+
+        return ['status' => $storedStatus, 'body' => $storedBody, 'replayed' => true];
+    }
+
+    /**
+     * 一意制約違反 (EM が閉じた後) に DBAL で既存記録を読み、リプレイ結果を返す.
+     *
+     * @return array{status: int, body: array<string, mixed>, replayed: bool}
+     */
+    private function replayFromDbal(string $key, string $subject, string $requestHash): array
+    {
+        $row = $this->entityManager->getConnection()->fetchAssociative(
+            'SELECT request_hash, response_status, response_body FROM dtb_agent_checkout_idempotency WHERE idempotency_key = :k AND subject = :s',
+            ['k' => $key, 's' => $subject],
+        );
+        if ($row === false) {
+            // 競合相手がロールバック等で消えた場合は処理中扱い (再試行を促す)。
+            throw new IdempotencyConflictException('A request with the same Idempotency-Key is currently being processed.');
+        }
+
+        $hasResponse = $row['response_status'] !== null;
+        $decoded = is_string($row['response_body'] ?? null) ? json_decode($row['response_body'], true) : null;
+
+        return $this->replay(
+            (string) ($row['request_hash'] ?? ''),
+            $hasResponse,
+            (int) ($row['response_status'] ?? 0),
+            is_array($decoded) ? $decoded : [],
+            $requestHash,
+        );
+    }
+
+    /**
+     * 予約行を削除する (compute 失敗時の再試行を可能にするため。EM 状態に依存しない DBAL 経由).
+     */
+    private function deleteReservation(string $key, string $subject): void
+    {
+        $this->entityManager->getConnection()->delete(
+            'dtb_agent_checkout_idempotency',
+            ['idempotency_key' => $key, 'subject' => $subject],
+        );
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/MinorUnitConverter.php b/src/Eccube/Service/AgentCommerce/MinorUnitConverter.php
new file mode 100644
index 00000000000..b95ad5677de
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/MinorUnitConverter.php
@@ -0,0 +1,119 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce;
+
+use Symfony\Component\Intl\Currencies;
+
+/**
+ * 通貨の major-unit (人間が扱う表記) と minor-unit (整数表現) を相互変換するサービス.
+ *
+ * ACP / UCP の金額はいずれも minor-unit (最小通貨単位) の整数で表現される。
+ * minor-unit は major-unit を「通貨の小数桁数 (ISO 4217) だけ 10 倍した整数」で、
+ * 同じ "1000" でも通貨ごとに桁数が変わる (JPY は ×1、USD は ×100)。一律 ×100 ではない点に注意。
+ * 桁数は symfony/intl の権威データから取得するため、ゼロデシマル通貨 (JPY/KRW/TWD) や
+ * 3 桁通貨 (BHD 等) も自動で正しく扱える (EC-CUBE 本体の金額カラムは 2 桁まで)。
+ * 割引・返金などの負数にも対応する。
+ */
+class MinorUnitConverter
+{
+    /**
+     * major-unit の金額文字列を minor-unit の整数へ変換する.
+     *
+     * minor-unit は「通貨の小数桁数 (ISO 4217) だけ 0 が増えた整数」。
+     * 同じ金額でも通貨によって桁数が変わる (一律 ×100 ではない):
+     *   ("1000",    "JPY") => 1000     // 0 桁通貨: ×10^0 → 桁は増えない
+     *   ("1000.00", "USD") => 100000   // 2 桁通貨: ×10^2 → 0 が 2 つ増える
+     *   ("12.34",   "USD") => 1234
+     *   ("-15.00",  "USD") => -1500    // 割引・返金などの負数も可
+     *
+     * @param string $amount   major-unit の金額 (decimal 文字列). 負数可
+     * @param string $currency ISO 4217 通貨コード (例: JPY, USD)
+     */
+    public function toMinorUnits(string $amount, string $currency): int
+    {
+        $amount = trim($amount);
+        $digits = $this->getFractionDigits($currency);
+
+        // 符号を分離して非負の値として丸め、最後に符号を戻す (round-half-up を絶対値で行うため)。
+        $negative = false;
+        if (str_starts_with($amount, '-')) {
+            $negative = true;
+            $amount = substr($amount, 1);
+        } elseif (str_starts_with($amount, '+')) {
+            $amount = substr($amount, 1);
+        }
+
+        // scale を桁数 + 1 にして、丸め用の補正を加える。
+        $scale = $digits + 1;
+        $factor = bcpow('10', (string) $digits, 0);
+
+        try {
+            // amount * 10^digits を計算 (まだ小数を含みうる)。
+            $scaled = bcmul($amount, $factor, $scale);
+
+            // round-half-up: 正の値に 0.5 を足してから切り捨て (bcmath は truncate)。
+            $rounded = bcadd($scaled, '0.5', 0);
+        } catch (\ValueError) {
+            // 受け付ける数値文字列形式の判定は BCMath 自身に委譲する。
+            // 不正な表記 (abc / 1,000 / 1e3 等) は ValueError になるため 0 とみなす。
+            // (空文字 '' や '.' は BCMath が 0 として扱うのでここには来ない)
+            return 0;
+        }
+
+        $result = (int) $rounded;
+
+        return $negative ? -$result : $result;
+    }
+
+    /**
+     * minor-unit の整数を major-unit の decimal 文字列へ変換する (toMinorUnits の逆変換).
+     *
+     *   (1000,   "JPY") => "1000"     // 0 桁通貨: そのまま
+     *   (100000, "USD") => "1000.00"  // 2 桁通貨: 下 2 桁が小数部
+     *   (1234,   "USD") => "12.34"
+     *   (-1500,  "USD") => "-15.00"
+     *
+     * @param int    $minorUnits minor-unit の整数. 負数可
+     * @param string $currency   ISO 4217 通貨コード
+     */
+    public function toAmountString(int $minorUnits, string $currency): string
+    {
+        $digits = $this->getFractionDigits($currency);
+
+        if ($digits === 0) {
+            return (string) $minorUnits;
+        }
+
+        $factor = bcpow('10', (string) $digits, 0);
+
+        // bcdiv は scale 桁で丸めずに切り捨てるが、minor->major は割り切れるため scale=digits で正確。
+        return bcdiv((string) $minorUnits, $factor, $digits);
+    }
+
+    /**
+     * 通貨の小数桁数を ISO 4217 権威データから取得する.
+     *
+     * 未知の通貨コードの場合は安全側に倒して 2 桁を返す。
+     */
+    private function getFractionDigits(string $currency): int
+    {
+        $currency = strtoupper(trim($currency));
+
+        if ($currency !== '' && Currencies::exists($currency)) {
+            return Currencies::getFractionDigits($currency);
+        }
+
+        return 2;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerInterface.php b/src/Eccube/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerInterface.php
new file mode 100644
index 00000000000..ef3f271e00a
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerInterface.php
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Payment;
+
+use Eccube\Entity\Order;
+
+/**
+ * エージェントチェックアウトの決済ハンドラ共通基底.
+ *
+ * ACP の Shared Payment Token / UCP の Payment Token Exchange 等、プロトコル固有の
+ * トークン償還 (redeem) はそれぞれの派生インターフェイス (#6776 ACP / #6574 UCP) が
+ * 本基底を継承して定義する。実装は決済プラグイン側に置く (core は型のみ保持)。
+ */
+interface AgentCheckoutPaymentHandlerInterface
+{
+    /**
+     * 与信 (オーソリ) を行う.
+     *
+     * complete の**状態機械の入口**であり、初回 complete と再開 complete の双方から呼ばれる
+     * (再入可能)。$paymentData に authentication_result 等の再開情報が含まれていれば、それを
+     * 使って追加認証 (EMV-3DS) を完了させる。追加認証が必要な場合は例外でなく
+     * {@link PaymentOutcome} の REQUIRES_ACTION を返す。
+     *
+     * @param array<string, mixed> $paymentData 支払トークン等の中立表現 (再開時は authentication_result を含む)
+     */
+    public function authorize(Order $order, array $paymentData): PaymentOutcome;
+
+    /**
+     * 売上確定 (キャプチャ) を行う. {@link authorize()} が COMPLETED を返した後にのみ呼ぶ.
+     *
+     * @param array<string, mixed> $paymentData 支払トークン等の中立表現
+     */
+    public function capture(Order $order, array $paymentData): PaymentOutcome;
+
+    /**
+     * このハンドラが指定の支払方法 (Payment.method_class 等) を扱えるか.
+     */
+    public function supports(Order $order): bool;
+}
diff --git a/src/Eccube/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerRegistry.php b/src/Eccube/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerRegistry.php
new file mode 100644
index 00000000000..b07f49ab1b5
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerRegistry.php
@@ -0,0 +1,90 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Payment;
+
+use Eccube\Entity\Order;
+
+/**
+ * エージェントチェックアウトの決済ハンドラレジストリ.
+ *
+ * `agent_commerce.payment_handler` タグの付いたハンドラを集約し、Order の支払方法、もしくは
+ * UCP の handler_id から適切なハンドラを解決する。具象ハンドラは決済プラグインがタグ付きサービスとして
+ * 寄与する (core には具象実装を持たない)。
+ */
+class AgentCheckoutPaymentHandlerRegistry
+{
+    /**
+     * @var list<AgentCheckoutPaymentHandlerInterface>
+     */
+    private readonly array $handlers;
+
+    /**
+     * @param iterable<AgentCheckoutPaymentHandlerInterface> $handlers タグ付きハンドラ群
+     */
+    public function __construct(iterable $handlers)
+    {
+        $this->handlers = is_array($handlers) ? array_values($handlers) : iterator_to_array($handlers, false);
+    }
+
+    /**
+     * Order の支払方法を扱えるハンドラを返す (なければ null).
+     */
+    public function resolveForOrder(Order $order): ?AgentCheckoutPaymentHandlerInterface
+    {
+        foreach ($this->handlers as $handler) {
+            if ($handler->supports($order)) {
+                return $handler;
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * UCP の handler_id に一致する UCP ハンドラを返す (なければ null).
+     *
+     * 同一 handler_id を複数のハンドラが宣言している場合は、プラグイン競合による非決定的な
+     * 決済ハンドラ選択を避けるため、null を返さず明示的に例外を投げる。
+     *
+     * @throws \RuntimeException 同一 handler_id が複数登録されている場合
+     */
+    public function resolveUcpByHandlerId(string $handlerId): ?UcpPaymentHandlerInterface
+    {
+        $matched = [];
+        foreach ($this->handlers as $handler) {
+            if ($handler instanceof UcpPaymentHandlerInterface && $handler->getHandlerId() === $handlerId) {
+                $matched[] = $handler;
+            }
+        }
+
+        if (count($matched) > 1) {
+            throw new \RuntimeException(sprintf('Multiple UCP payment handlers are registered for handler_id "%s". Plugin payment handlers must declare a unique handler_id.', $handlerId));
+        }
+
+        return $matched[0] ?? null;
+    }
+
+    /**
+     * 登録済みの UCP ハンドラを返す (discovery の payment_handlers 広告に使用).
+     *
+     * @return list<UcpPaymentHandlerInterface>
+     */
+    public function ucpHandlers(): array
+    {
+        return array_values(array_filter(
+            $this->handlers,
+            static fn (AgentCheckoutPaymentHandlerInterface $handler): bool => $handler instanceof UcpPaymentHandlerInterface
+        ));
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Payment/PaymentOutcome.php b/src/Eccube/Service/AgentCommerce/Payment/PaymentOutcome.php
new file mode 100644
index 00000000000..bdce9599af9
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Payment/PaymentOutcome.php
@@ -0,0 +1,84 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Payment;
+
+/**
+ * 決済ハンドラ (authorize/capture) の処理結果 (プロトコル非依存の中立 DTO).
+ *
+ * EC-CUBE 通常購入の {@link \Eccube\Service\Payment\PaymentResult} / {@link \Eccube\Service\Payment\PaymentDispatcher}
+ * が成否と外部遷移を表現するのと同じ役割を、エージェント向けに Symfony Response 非依存の形で持つ
+ * (エージェントは Response を解釈しないため、追加対応に必要なデータは {@link $actionData} に中立な形で載せる)。
+ */
+final readonly class PaymentOutcome
+{
+    /**
+     * @param array<string, mixed> $actionData REQUIRES_ACTION 時の中立データ。プロトコル層が
+     *                                          continue_url (UCP) / authentication_metadata (ACP) へ写し取る
+     * @param array<string, mixed> $metadata   payment_data へ保持する PSP 参照等 (token はマスキング済)
+     */
+    public function __construct(
+        public PaymentOutcomeStatus $status,
+        public ?string $transactionId = null,
+        public array $actionData = [],
+        public array $metadata = [],
+        public ?string $errorCode = null,
+        public ?string $errorMessage = null,
+        public bool $retryable = true,
+    ) {
+    }
+
+    /**
+     * @param array<string, mixed> $metadata
+     */
+    public static function completed(?string $transactionId = null, array $metadata = []): self
+    {
+        return new self(PaymentOutcomeStatus::COMPLETED, $transactionId, [], $metadata);
+    }
+
+    /**
+     * @param array<string, mixed> $actionData continue_url / authentication_metadata の原資
+     * @param array<string, mixed> $metadata
+     */
+    public static function requiresAction(array $actionData, array $metadata = []): self
+    {
+        return new self(PaymentOutcomeStatus::REQUIRES_ACTION, null, $actionData, $metadata);
+    }
+
+    /**
+     * @param array<string, mixed> $metadata
+     */
+    public static function pending(array $metadata = []): self
+    {
+        return new self(PaymentOutcomeStatus::PENDING, null, [], $metadata);
+    }
+
+    /**
+     * @param bool $retryable 再試行可能か (card declined 等は true=セッションを ready に戻す /
+     *                         fraud block 等の不可逆失敗は false=セッションを canceled にする)
+     */
+    public static function failed(string $errorCode, string $errorMessage = '', bool $retryable = true): self
+    {
+        return new self(PaymentOutcomeStatus::FAILED, null, [], [], $errorCode, $errorMessage, $retryable);
+    }
+
+    public function isSuccessful(): bool
+    {
+        return $this->status === PaymentOutcomeStatus::COMPLETED;
+    }
+
+    public function needsAction(): bool
+    {
+        return $this->status === PaymentOutcomeStatus::REQUIRES_ACTION;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Payment/PaymentOutcomeStatus.php b/src/Eccube/Service/AgentCommerce/Payment/PaymentOutcomeStatus.php
new file mode 100644
index 00000000000..a39a77fb7e3
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Payment/PaymentOutcomeStatus.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Payment;
+
+/**
+ * 決済ハンドラの処理結果ステータス.
+ *
+ * エージェントチェックアウトの complete は「中断 → 再開」する状態機械であり、追加認証 (EMV-3DS) や
+ * 外部サイトへの buyer ハンドオフ (escalation) は**エラーではなく正常な中間状態**である。
+ * 決済ハンドラ ({@link AgentCheckoutPaymentHandlerInterface}) はこのステータスを返し、
+ * オーケストレータ ({@link \Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutCompletionService})
+ * が CheckoutSession の正規化ステータス遷移・在庫引当の保持/回収を決定する。
+ */
+enum PaymentOutcomeStatus: string
+{
+    /** 与信/売上が成功し、注文を確定 (commit) してよい. */
+    case COMPLETED = 'completed';
+
+    /** 追加対応が必要 (3DS challenge / escalation)。在庫は引当のまま保持し、再開 complete を待つ. */
+    case REQUIRES_ACTION = 'requires_action';
+
+    /** 非同期処理中 (PSP の確定通知待ち)。IPN/Webhook で完了させる. */
+    case PENDING = 'pending';
+
+    /** 拒否・エラー。引当をロールバックする. */
+    case FAILED = 'failed';
+}
diff --git a/src/Eccube/Service/AgentCommerce/Payment/UcpPaymentHandlerInterface.php b/src/Eccube/Service/AgentCommerce/Payment/UcpPaymentHandlerInterface.php
new file mode 100644
index 00000000000..3c931d126b0
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Payment/UcpPaymentHandlerInterface.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Payment;
+
+/**
+ * UCP の Payment Token Exchange 向け決済ハンドラ.
+ *
+ * UCP checkout の complete 時に、エージェントから渡された支払クレデンシャル
+ * (payment_handler 固有のトークン) を PSP のゲートウェイトークンへ交換 (exchange) する。
+ * 具体的な交換ロジックは決済プラグイン側に実装し (core は型のみ保持)、本体は
+ * {@link AgentCheckoutPaymentHandlerRegistry} 経由で handler_id により解決する。
+ *
+ * UCP discovery profile の `payment_handlers` (逆ドメイン名キーのレジストリ) は
+ * {@link getHandlerId()} が返す識別子で広告される。
+ *
+ * @see https://github.com/EC-CUBE/ec-cube/issues/6574
+ */
+interface UcpPaymentHandlerInterface extends AgentCheckoutPaymentHandlerInterface
+{
+    /**
+     * このハンドラの識別子 (UCP の逆ドメイン名形式、例: "dev.ucp.payment.card").
+     *
+     * discovery profile の `payment_handlers` キー、および complete リクエストの
+     * payment.instruments[].handler_id との突合に用いる。
+     */
+    public function getHandlerId(): string;
+
+    /**
+     * エージェントから渡された支払クレデンシャルを PSP のゲートウェイトークンへ交換する.
+     *
+     * @param array<string, mixed> $credential payment.instruments[].credential の中立表現 (type/token 等)
+     *
+     * @return array<string, mixed> 後続の authorize()/capture() へ渡す中立な支払データ
+     */
+    public function exchangePaymentToken(array $credential): array;
+}
diff --git a/src/Eccube/Service/AgentCommerce/Security/AgentCommerceMessageSignerInterface.php b/src/Eccube/Service/AgentCommerce/Security/AgentCommerceMessageSignerInterface.php
new file mode 100644
index 00000000000..e97450e20ef
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Security/AgentCommerceMessageSignerInterface.php
@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Security;
+
+/**
+ * エージェントコマースのメッセージ署名・検証を抽象化するインターフェイス.
+ *
+ * 署名アルゴリズムはプロトコルごとに差し替え可能とする (UCP=RFC 9421 / EC P-256 など).
+ * 公開鍵は discovery の signing_keys[] (JWK) として広告される.
+ */
+interface AgentCommerceMessageSignerInterface
+{
+    /**
+     * 署名ベース文字列に署名し, base64url エンコードした署名値を返す.
+     *
+     * @param string $signatureBase 署名対象のバイト列 (RFC 9421 の signature base 等)
+     *
+     * @return string base64url エンコードされた署名
+     */
+    public function sign(string $signatureBase): string;
+
+    /**
+     * base64url エンコードされた署名を検証する.
+     *
+     * 鍵ローテーションの grace period 中は旧公開鍵でも検証を許可する.
+     *
+     * @param string $signatureBase 署名対象のバイト列
+     * @param string $signature     base64url エンコードされた署名
+     *
+     * @return bool 検証に成功したとき true
+     */
+    public function verify(string $signatureBase, string $signature): bool;
+
+    /**
+     * 公開鍵 JWK (連想配列) の配列を返す. 現用鍵 + grace period の旧鍵を含む.
+     *
+     * 秘密鍵パラメータ (d) は絶対に含めない.
+     *
+     * @return array<int, array<string, mixed>> JWK の配列
+     */
+    public function getPublicJwks(): array;
+
+    /**
+     * 現用鍵の Key ID (kid) を返す.
+     */
+    public function getCurrentKid(): string;
+}
diff --git a/src/Eccube/Service/AgentCommerce/Security/AgentCommerceOAuth2Authenticator.php b/src/Eccube/Service/AgentCommerce/Security/AgentCommerceOAuth2Authenticator.php
new file mode 100644
index 00000000000..c5c404026c0
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Security/AgentCommerceOAuth2Authenticator.php
@@ -0,0 +1,103 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Security;
+
+use Symfony\Component\HttpKernel\Exception\ServiceUnavailableHttpException;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+
+/**
+ * エージェントコマースのインバウンド OAuth2 トークン検証 + scope×protocol 照合.
+ *
+ * 設計方針 (#6777):
+ * - **eccube-api4 の具象には依存しない**。トークン検証は Symfony 標準の
+ *   {@link AccessTokenHandlerInterface} 経由で行い、実体 (リソースサーバー) は
+ *   eccube-api4 が提供する想定 ([EC-CUBE/eccube-api4#188])。
+ * - eccube-api4 未導入時は handler が null となり、503 (ServiceUnavailable) を返す
+ *   フィーチャーフラグ的フォールバックとする。
+ * - 付与 scope は {@link UserBadge} の attributes に handler が載せる前提
+ *   (`scopes`: array<string> もしくは `scope`: 空白区切り string)。
+ *
+ * 本クラスは検証ロジックの中核であり、firewall への配線 (Symfony の access_token
+ * authenticator 化) は checkout エンドポイントを持つ #6776/#6574 で行う。
+ */
+class AgentCommerceOAuth2Authenticator
+{
+    public function __construct(
+        private readonly AgentCommerceScopeRegistry $scopeRegistry,
+        private readonly ?AccessTokenHandlerInterface $accessTokenHandler = null,
+    ) {
+    }
+
+    /**
+     * eccube-api4 (リソースサーバー) が利用可能か.
+     */
+    public function isAvailable(): bool
+    {
+        return $this->accessTokenHandler !== null;
+    }
+
+    /**
+     * アクセストークンを検証し、protocol/capability に必要な scope を持つか確認する.
+     *
+     * @return UserBadge 検証済みユーザーバッジ (subject 識別子 + attributes)
+     *
+     * @throws ServiceUnavailableHttpException eccube-api4 未導入 (503 相当)
+     * @throws AuthenticationException トークン不正 (401 相当)
+     * @throws AccessDeniedException scope 不足・protocol 越境 (403 相当)
+     */
+    public function authenticate(string $accessToken, string $protocol, string $capability): UserBadge
+    {
+        if ($this->accessTokenHandler === null) {
+            throw new ServiceUnavailableHttpException(null, 'OAuth2 resource server (eccube-api4) is not installed');
+        }
+
+        // 不正トークンは AuthenticationException (401 相当) が送出される。
+        $userBadge = $this->accessTokenHandler->getUserBadgeFrom($accessToken);
+
+        $grantedScopes = $this->extractScopes($userBadge);
+        if (!$this->scopeRegistry->supports($protocol, $capability, $grantedScopes)) {
+            throw new AccessDeniedException(sprintf('The token is not granted the required scope "%s:%s".', $protocol, $capability));
+        }
+
+        return $userBadge;
+    }
+
+    /**
+     * UserBadge の attributes から付与 scope 一覧を取り出す.
+     *
+     * `scopes` (array<string>) を優先し、無ければ `scope` (空白区切り string) を解釈する。
+     *
+     * @return list<string>
+     */
+    private function extractScopes(UserBadge $userBadge): array
+    {
+        $attributes = $userBadge->getAttributes() ?? [];
+
+        if (isset($attributes['scopes']) && is_array($attributes['scopes'])) {
+            return array_values(array_filter(
+                array_map(static fn ($scope): string => (string) $scope, $attributes['scopes']),
+                static fn (string $scope): bool => $scope !== '',
+            ));
+        }
+
+        if (isset($attributes['scope']) && is_string($attributes['scope'])) {
+            return array_values(array_filter(explode(' ', $attributes['scope']), static fn (string $scope): bool => $scope !== ''));
+        }
+
+        return [];
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Security/AgentCommerceScopeRegistry.php b/src/Eccube/Service/AgentCommerce/Security/AgentCommerceScopeRegistry.php
new file mode 100644
index 00000000000..bfe7e27b4bf
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Security/AgentCommerceScopeRegistry.php
@@ -0,0 +1,99 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Security;
+
+/**
+ * エージェントコマース (ACP / UCP) の OAuth2 scope を正準化するレジストリ.
+ *
+ * scope は "<protocol>:<capability>" 形式で統一する (例: "ucp:checkout")。
+ * "agent:catalog:read" のような旧形式は無効とする。protocol 越境
+ * (例: acp トークンで ucp capability を要求) は許可しない。
+ */
+class AgentCommerceScopeRegistry
+{
+    /**
+     * 正準 scope レジストリ. protocol => 許可する capability の配列.
+     *
+     * app/Customize で差し替えやすいようメソッド経由で参照する。
+     *
+     * @var array<string, list<string>>
+     */
+    private const CANONICAL_SCOPES = [
+        'acp' => ['checkout', 'catalog'],
+        'ucp' => ['checkout', 'cart', 'catalog', 'identity'],
+    ];
+
+    /**
+     * scope 文字列が正準レジストリに存在するか判定する.
+     *
+     * "ucp:checkout" などレジストリに定義された "<protocol>:<capability>" のみ true。
+     */
+    public function isValidScope(string $scope): bool
+    {
+        $parts = explode(':', $scope);
+
+        // 正確に protocol:capability の 2 要素でなければ無効 (例: "agent:catalog:read" は 3 要素)。
+        if (count($parts) !== 2) {
+            return false;
+        }
+
+        [$protocol, $capability] = $parts;
+
+        if ($protocol === '' || $capability === '') {
+            return false;
+        }
+
+        return isset(self::CANONICAL_SCOPES[$protocol])
+            && in_array($capability, self::CANONICAL_SCOPES[$protocol], true);
+    }
+
+    /**
+     * 指定 protocol が持つ全 scope 文字列を返す.
+     *
+     * 例: "ucp" => ["ucp:checkout", "ucp:cart", "ucp:catalog", "ucp:identity"]
+     *
+     * @return list<string>
+     */
+    public function scopesForProtocol(string $protocol): array
+    {
+        if (!isset(self::CANONICAL_SCOPES[$protocol])) {
+            return [];
+        }
+
+        return array_map(
+            static fn (string $capability): string => $protocol.':'.$capability,
+            self::CANONICAL_SCOPES[$protocol]
+        );
+    }
+
+    /**
+     * 付与済み scope 群が、指定 protocol/capability の操作を許可しているか判定する.
+     *
+     * grantedScopes に "<protocol>:<capability>" が含まれ、かつその scope が
+     * 正準であり protocol が一致するときのみ true。protocol 越境は false。
+     *
+     * @param list<string> $grantedScopes トークンに付与された scope 文字列の配列
+     */
+    public function supports(string $protocol, string $capability, array $grantedScopes): bool
+    {
+        $required = $protocol.':'.$capability;
+
+        // 要求 scope 自体が正準でなければ許可しない (越境・未定義の capability を排除)。
+        if (!$this->isValidScope($required)) {
+            return false;
+        }
+
+        return in_array($required, $grantedScopes, true);
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Security/FilesystemKeyStore.php b/src/Eccube/Service/AgentCommerce/Security/FilesystemKeyStore.php
new file mode 100644
index 00000000000..ad295a4f8ab
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Security/FilesystemKeyStore.php
@@ -0,0 +1,95 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Security;
+
+/**
+ * 署名鍵をファイルシステムに保管する標準キーストア実装。
+ *
+ * 既定パスは "{projectDir}/app/keystore/agent-commerce/{purpose}.key"。
+ * purpose ごとに環境変数等によるパス上書き ($envPathOverrides) が可能。
+ * 鍵ファイルはパーミッション 0600、格納ディレクトリは 0700 で作成する。
+ */
+class FilesystemKeyStore implements KeyStoreInterface
+{
+    /**
+     * @param string                $projectDir       プロジェクトルート (%kernel.project_dir%)
+     * @param array<string, string> $envPathOverrides purpose => 絶対パスの上書きマップ
+     */
+    public function __construct(
+        private readonly string $projectDir,
+        private readonly array $envPathOverrides = [],
+    ) {
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function read(string $purpose): ?string
+    {
+        $path = $this->resolvePath($purpose);
+
+        if (!is_file($path)) {
+            return null;
+        }
+
+        $contents = file_get_contents($path);
+
+        return $contents === false ? null : $contents;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function write(string $purpose, string $pem): void
+    {
+        $path = $this->resolvePath($purpose);
+        $dir = \dirname($path);
+
+        if (!is_dir($dir) && !mkdir($dir, 0700, true) && !is_dir($dir)) {
+            throw new \RuntimeException(sprintf('鍵格納ディレクトリ "%s" を作成できません.', $dir));
+        }
+
+        // file_put_contents は umask 既定 (通常 0644) でファイルを作成してから書き込むため、
+        // chmod(0600) までの間に秘密鍵が group/other から読める瞬間が生じる。
+        // 作成時点から 0600 になるよう、書き込みの間だけ umask(0077) に切り替える。
+        $oldUmask = umask(0077);
+        try {
+            if (file_put_contents($path, $pem) === false) {
+                throw new \RuntimeException(sprintf('鍵ファイル "%s" への書き込みに失敗しました.', $path));
+            }
+            if (!chmod($path, 0600)) {
+                throw new \RuntimeException(sprintf('鍵ファイル "%s" のパーミッション設定に失敗しました.', $path));
+            }
+        } finally {
+            umask($oldUmask);
+        }
+    }
+
+    /**
+     * purpose から鍵ファイルの絶対パスを解決する。
+     *
+     * $envPathOverrides[$purpose] が非空文字ならそのパスを優先し、
+     * それ以外は既定パスを使用する。
+     */
+    private function resolvePath(string $purpose): string
+    {
+        $override = $this->envPathOverrides[$purpose] ?? '';
+
+        if ($override !== '') {
+            return $override;
+        }
+
+        return $this->projectDir.'/app/keystore/agent-commerce/'.$purpose.'.key';
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Security/KeyStoreInterface.php b/src/Eccube/Service/AgentCommerce/Security/KeyStoreInterface.php
new file mode 100644
index 00000000000..f6180661371
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Security/KeyStoreInterface.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Security;
+
+/**
+ * エージェントコマースの署名鍵等を永続化するキーストアの抽象。
+ *
+ * 実装は app/Customize で差し替え可能 (例: DB 保管・Vault 連携)。
+ * 標準実装はファイルシステム (FilesystemKeyStore)。
+ */
+interface KeyStoreInterface
+{
+    /**
+     * 指定 purpose の鍵 (PEM 文字列) を読み出す。存在しなければ null。
+     *
+     * @param string $purpose 鍵の用途識別子 (例: 'ucp_signing')
+     *
+     * @return string|null PEM 文字列、または未保存の場合 null
+     */
+    public function read(string $purpose): ?string;
+
+    /**
+     * 指定 purpose の鍵 (PEM 文字列) を書き込む。
+     *
+     * @param string $purpose 鍵の用途識別子 (例: 'ucp_signing')
+     * @param string $pem     保存する PEM 文字列
+     */
+    public function write(string $purpose, string $pem): void;
+}
diff --git a/src/Eccube/Service/AgentCommerce/Security/UcpMessageSigner.php b/src/Eccube/Service/AgentCommerce/Security/UcpMessageSigner.php
new file mode 100644
index 00000000000..7410483c7fc
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Security/UcpMessageSigner.php
@@ -0,0 +1,277 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Security;
+
+use phpseclib3\Crypt\EC;
+use phpseclib3\Crypt\EC\PrivateKey;
+use phpseclib3\Crypt\EC\PublicKey;
+use phpseclib3\Crypt\PublicKeyLoader;
+
+/**
+ * UCP の RFC 9421 HTTP Message Signatures 向け署名実装.
+ *
+ * EC P-256 (secp256r1) / ES256 を使用し, 署名は raw R||S (IEEE P1363, 64byte) 形式で生成する.
+ * 公開鍵は EC JWK (kty:"EC", crv:"P-256", x, y) として discovery の signing_keys[] に広告する.
+ * 鍵ストア上に秘密鍵が無ければ生成して永続化する (KeyStoreInterface 経由).
+ */
+class UcpMessageSigner implements AgentCommerceMessageSignerInterface
+{
+    /**
+     * @var array<int, string> grace period 中の旧公開鍵 PEM 群
+     */
+    private readonly array $gracePublicKeyPems;
+
+    private ?PrivateKey $privateKey = null;
+
+    /**
+     * @param KeyStoreInterface   $keyStore           秘密鍵 PEM の読み書きストア
+     * @param string              $purpose            鍵の用途識別子 (KeyStore のパス解決に使用)
+     * @param array<int, string>  $gracePublicKeyPems 旧公開鍵 PEM 群 (verify/JWK に含める)
+     */
+    public function __construct(
+        private readonly KeyStoreInterface $keyStore,
+        private readonly string $purpose = 'ucp_signing',
+        array $gracePublicKeyPems = [],
+    ) {
+        $this->gracePublicKeyPems = array_values($gracePublicKeyPems);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function sign(string $signatureBase): string
+    {
+        $raw = $this->getPrivateKey()
+            ->withSignatureFormat('IEEE')
+            ->withHash('sha256')
+            ->sign($signatureBase);
+
+        return $this->base64urlEncode($raw);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function verify(string $signatureBase, string $signature): bool
+    {
+        $raw = $this->base64urlDecode($signature);
+        if ($raw === '') {
+            return false;
+        }
+
+        // 現用鍵 + grace period の旧公開鍵すべてに対して検証を試みる.
+        foreach ($this->collectPublicKeys() as $publicKey) {
+            try {
+                $verified = $publicKey
+                    ->withSignatureFormat('IEEE')
+                    ->withHash('sha256')
+                    ->verify($signatureBase, $raw);
+            } catch (\Throwable) {
+                // 不正な署名長などで例外が出る実装差異を吸収し, 次の鍵へ.
+                continue;
+            }
+
+            if ($verified) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getPublicJwks(): array
+    {
+        $jwks = [];
+        foreach ($this->collectPublicKeys() as $publicKey) {
+            $jwks[] = $this->toPublicJwk($publicKey);
+        }
+
+        return $jwks;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getCurrentKid(): string
+    {
+        return $this->thumbprint($this->getCurrentPublicKey());
+    }
+
+    /**
+     * 現用秘密鍵を取得する. 鍵ストアに無ければ EC P-256 を生成して永続化する.
+     */
+    private function getPrivateKey(): PrivateKey
+    {
+        if ($this->privateKey instanceof PrivateKey) {
+            return $this->privateKey;
+        }
+
+        $pem = $this->keyStore->read($this->purpose);
+        if ($pem === null || trim($pem) === '') {
+            /** @var PrivateKey $generated */
+            $generated = EC::createKey('secp256r1');
+            $pem = $generated->toString('PKCS8');
+            $this->keyStore->write($this->purpose, $pem);
+            $this->privateKey = $generated;
+
+            return $this->privateKey;
+        }
+
+        $loaded = PublicKeyLoader::load($pem);
+        if (!$loaded instanceof PrivateKey) {
+            throw new \RuntimeException(sprintf('鍵ストアの "%s" は EC 秘密鍵ではありません.', $this->purpose));
+        }
+
+        $this->privateKey = $loaded;
+
+        return $this->privateKey;
+    }
+
+    private function getCurrentPublicKey(): PublicKey
+    {
+        return $this->getPrivateKey()->getPublicKey();
+    }
+
+    /**
+     * 現用 + grace の公開鍵を返す.
+     *
+     * @return array<int, PublicKey>
+     */
+    private function collectPublicKeys(): array
+    {
+        $keys = [$this->getCurrentPublicKey()];
+
+        foreach ($this->gracePublicKeyPems as $pem) {
+            if (trim($pem) === '') {
+                continue;
+            }
+            $loaded = PublicKeyLoader::load($pem);
+            if ($loaded instanceof PrivateKey) {
+                $keys[] = $loaded->getPublicKey();
+            } elseif ($loaded instanceof PublicKey) {
+                $keys[] = $loaded;
+            }
+        }
+
+        return $keys;
+    }
+
+    /**
+     * 公開鍵を EC JWK (連想配列) に変換する. 秘密鍵パラメータ d は含めない.
+     *
+     * @return array<string, mixed>
+     */
+    private function toPublicJwk(PublicKey $publicKey): array
+    {
+        $coords = $this->extractCoordinates($publicKey);
+
+        $jwk = [
+            'kty' => 'EC',
+            'crv' => 'P-256',
+            'x' => $coords['x'],
+            'y' => $coords['y'],
+            'use' => 'sig',
+            'alg' => 'ES256',
+        ];
+        $jwk['kid'] = $this->thumbprintFromCoordinates($coords['x'], $coords['y']);
+
+        return $jwk;
+    }
+
+    /**
+     * 公開鍵から JWK の座標 (x, y; base64url) を抽出する.
+     *
+     * 主: phpseclib の toString('JWK') を利用.
+     * フォールバック (コメント): phpseclib のバージョン差で 'JWK' 出力のキー名が
+     * 異なる / 取得できない場合は, getEncodedCoordinates() 等で得た
+     * uncompressed point (0x04 || X(32) || Y(32)) を 32byte ずつに分割し,
+     * それぞれ base64url する実装に切り替えること. ここではまず JWK 出力を解析し,
+     * 取得不能な場合に uncompressed point から座標を復元する.
+     *
+     * @return array{x: string, y: string}
+     */
+    private function extractCoordinates(PublicKey $publicKey): array
+    {
+        $x = null;
+        $y = null;
+
+        try {
+            $jwkJson = $publicKey->toString('JWK');
+            /** @var array<string, mixed>|null $decoded */
+            $decoded = json_decode($jwkJson, true);
+            if (is_array($decoded)) {
+                // JWK は {keys:[{...}]} か単体 {x,y} のいずれもあり得るため両対応.
+                if (isset($decoded['keys'][0]) && is_array($decoded['keys'][0])) {
+                    $decoded = $decoded['keys'][0];
+                }
+                if (isset($decoded['x']) && is_string($decoded['x'])) {
+                    $x = $decoded['x'];
+                }
+                if (isset($decoded['y']) && is_string($decoded['y'])) {
+                    $y = $decoded['y'];
+                }
+            }
+        } catch (\Throwable) {
+            // 下のフォールバックで座標を復元する.
+        }
+
+        if ($x === null || $y === null) {
+            // phpseclib3 の EC 公開鍵は toString('JWK') で必ず x/y を返すため通常到達しない。
+            throw new \RuntimeException('EC 公開鍵から JWK 座標を取得できませんでした.');
+        }
+
+        return ['x' => $x, 'y' => $y];
+    }
+
+    /**
+     * RFC 7638 JWK Thumbprint を kid として算出する.
+     */
+    private function thumbprint(PublicKey $publicKey): string
+    {
+        $coords = $this->extractCoordinates($publicKey);
+
+        return $this->thumbprintFromCoordinates($coords['x'], $coords['y']);
+    }
+
+    /**
+     * RFC 7638: 必須メンバ (crv, kty, x, y) を辞書順・余白なし JSON にして SHA-256 する.
+     */
+    private function thumbprintFromCoordinates(string $x, string $y): string
+    {
+        // キー昇順 (crv, kty, x, y), 余白なし.
+        $canonical = json_encode([
+            'crv' => 'P-256',
+            'kty' => 'EC',
+            'x' => $x,
+            'y' => $y,
+        ], JSON_UNESCAPED_SLASHES);
+
+        return $this->base64urlEncode(hash('sha256', (string) $canonical, true));
+    }
+
+    private function base64urlEncode(string $binary): string
+    {
+        return rtrim(strtr(base64_encode($binary), '+/', '-_'), '=');
+    }
+
+    private function base64urlDecode(string $value): string
+    {
+        $decoded = base64_decode(strtr($value, '-_', '+/'), true);
+
+        return $decoded === false ? '' : $decoded;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/StorefrontUrlResolver.php b/src/Eccube/Service/AgentCommerce/StorefrontUrlResolver.php
new file mode 100644
index 00000000000..ea56695b35e
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/StorefrontUrlResolver.php
@@ -0,0 +1,60 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce;
+
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+
+/**
+ * エージェントコマースの discovery / checkout レスポンスに必要な店舗 URL を生成する.
+ *
+ * UCP checkout レスポンスの `links[]` (privacy_policy / terms_of_service) は標準ページ
+ * (`help_privacy` / `help_agreement`) から**絶対 URL を実行時生成**する (BaseInfo にカラム化しない方針)。
+ * URL のベースは `RequestContext` (TRUSTED_PROXIES 反映) から決まる。app/Customize で
+ * 本サービスを decoration すれば独自ページへ差し替え可能。
+ */
+class StorefrontUrlResolver
+{
+    public function __construct(
+        private readonly UrlGeneratorInterface $urlGenerator,
+    ) {
+    }
+
+    /**
+     * プライバシーポリシーページの絶対 URL.
+     */
+    public function privacyPolicyUrl(): string
+    {
+        return $this->urlGenerator->generate('help_privacy', [], UrlGeneratorInterface::ABSOLUTE_URL);
+    }
+
+    /**
+     * 利用規約ページの絶対 URL.
+     */
+    public function termsOfServiceUrl(): string
+    {
+        return $this->urlGenerator->generate('help_agreement', [], UrlGeneratorInterface::ABSOLUTE_URL);
+    }
+
+    /**
+     * 注文の参照先 (permalink) 絶対 URL.
+     *
+     * UCP complete レスポンスの `order.permalink_url` に用いる。標準ではマイページの注文履歴
+     * (`mypage_history`) を指す。ゲスト注文は会員ログインへ誘導されるが URL 自体は絶対 URL として有効。
+     * 独自の注文確認ページへ差し替えたい場合は本サービスを decoration する。
+     */
+    public function orderPermalinkUrl(string $orderNo): string
+    {
+        return $this->urlGenerator->generate('mypage_history', ['order_no' => $orderNo], UrlGeneratorInterface::ABSOLUTE_URL);
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/Signature/Rfc9421SignatureBaseBuilder.php b/src/Eccube/Service/AgentCommerce/Ucp/Signature/Rfc9421SignatureBaseBuilder.php
new file mode 100644
index 00000000000..ea29e5781ca
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/Signature/Rfc9421SignatureBaseBuilder.php
@@ -0,0 +1,97 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp\Signature;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * RFC 9421 HTTP Message Signatures の signature base 文字列を構築する.
+ *
+ * Signature-Input が宣言する covered component を順に
+ * `"<component>": <value>` 行へ展開し、最後に `"@signature-params": <params>` 行を付す。
+ * UCP checkout が署名対象とするコンポーネント (@method/@authority/@path、および
+ * ucp-agent/idempotency-key/content-digest/content-type ヘッダ) を解決できる。
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc9421 RFC 9421 Section 2.5 (Creating the Signature Base)
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP signatures.md
+ */
+class Rfc9421SignatureBaseBuilder
+{
+    /**
+     * signature base を構築する.
+     *
+     * @param Request      $request           署名対象のリクエスト
+     * @param list<string> $coveredComponents covered component 識別子 (小文字・派生は先頭 @)
+     * @param string       $signatureParams   `@signature-params` の値 (例: `("@method" "@path");created=...;keyid="..."`)
+     *
+     * @throws \InvalidArgumentException 解決できない component が含まれる場合
+     */
+    public function build(Request $request, array $coveredComponents, string $signatureParams): string
+    {
+        $lines = [];
+        foreach ($coveredComponents as $component) {
+            $value = $this->resolveComponent($request, $component);
+            $lines[] = sprintf('"%s": %s', $component, $value);
+        }
+
+        $lines[] = sprintf('"@signature-params": %s', $signatureParams);
+
+        return implode("\n", $lines);
+    }
+
+    /**
+     * covered component の値を解決する.
+     */
+    private function resolveComponent(Request $request, string $component): string
+    {
+        return match ($component) {
+            '@method' => strtoupper($request->getMethod()),
+            '@authority' => strtolower($request->getHttpHost()),
+            '@path' => $this->path($request),
+            '@query' => '?'.($request->getQueryString() ?? ''),
+            '@scheme' => strtolower($request->getScheme()),
+            '@target-uri' => $request->getUri(),
+            default => $this->resolveHeader($request, $component),
+        };
+    }
+
+    /**
+     * 派生コンポーネント以外はヘッダ値として解決する (RFC 9421 では小文字のフィールド名).
+     */
+    private function resolveHeader(Request $request, string $component): string
+    {
+        if (str_starts_with($component, '@')) {
+            throw new \InvalidArgumentException(sprintf('Unsupported derived component "%s".', $component));
+        }
+
+        $value = $request->headers->get($component);
+        if ($value === null) {
+            throw new \InvalidArgumentException(sprintf('Signed header "%s" is missing from the request.', $component));
+        }
+
+        // RFC 9421 Section 2.1: 先頭末尾の OWS を除去する (obs-fold は HTTP/1.1 で既に除去済み想定)。
+        return trim($value);
+    }
+
+    /**
+     * リクエストターゲットの絶対パス部分 (@path) を返す.
+     */
+    private function path(Request $request): string
+    {
+        $requestUri = $request->getRequestUri();
+        $queryPos = strpos($requestUri, '?');
+
+        return $queryPos === false ? $requestUri : substr($requestUri, 0, $queryPos);
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpAgentHeader.php b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpAgentHeader.php
new file mode 100644
index 00000000000..c3210eba305
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpAgentHeader.php
@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp\Signature;
+
+/**
+ * `UCP-Agent` リクエストヘッダ (RFC 8941 Dictionary) のパーサ.
+ *
+ * 形式: `profile="https://platform.example/.well-known/ucp"` のように、
+ * `profile` メンバにプラットフォームの HTTPS プロファイル URL を保持する。
+ * 全 UCP リクエストで必須であり、署名検証時の公開鍵取得元となる。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP signatures.md (UCP-Agent header)
+ */
+final readonly class UcpAgentHeader
+{
+    private function __construct(
+        public string $profileUrl,
+    ) {
+    }
+
+    /**
+     * ヘッダ値から profile URL を抽出する.
+     *
+     * @throws \InvalidArgumentException profile メンバが無い / HTTPS でない場合
+     */
+    public static function parse(string $headerValue): self
+    {
+        // RFC 8941 Dictionary の単純パース: profile="..." を取り出す。
+        if (!preg_match('/profile\s*=\s*"([^"]+)"/', $headerValue, $matches)) {
+            throw new \InvalidArgumentException('UCP-Agent header must contain a quoted "profile" member.');
+        }
+
+        $url = $matches[1];
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        // RFC 3986 では scheme は大文字小文字を区別しない (HTTPS == https) ため小文字化して比較する。
+        if (!is_string($scheme) || strtolower($scheme) !== 'https') {
+            throw new \InvalidArgumentException('UCP-Agent profile URL must be an absolute HTTPS URL.');
+        }
+
+        return new self($url);
+    }
+
+    /**
+     * profile URL のホスト名を返す (ドメイン許可リスト照合に使用).
+     */
+    public function host(): string
+    {
+        $host = parse_url($this->profileUrl, PHP_URL_HOST);
+
+        return is_string($host) ? strtolower($host) : '';
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpProfileFetcher.php b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpProfileFetcher.php
new file mode 100644
index 00000000000..5f13ace5cc4
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpProfileFetcher.php
@@ -0,0 +1,154 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp\Signature;
+
+use Eccube\Service\AgentCommerce\Exception\UcpSignatureException;
+use Symfony\Contracts\HttpClient\Exception\ExceptionInterface as HttpClientExceptionInterface;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+/**
+ * エージェント (プラットフォーム) の UCP プロファイルを取得し、署名検証用の公開鍵 JWK を抽出する.
+ *
+ * `UCP-Agent` ヘッダの profile URL から `/.well-known/ucp` 相当のプロファイル文書を取得する。
+ * - **HTTPS 必須・リダイレクト追従禁止** (RFC 9421 / UCP signatures.md の鍵探索要件)。
+ * - 取得した文書の `signing_keys[]` (EC 公開鍵 JWK) を返す。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP signatures.md (key discovery: profile.signing_keys[], no redirects)
+ */
+class UcpProfileFetcher
+{
+    /**
+     * @var \Closure(string): (list<string>|false) ホスト名 -> 解決 IP 群を返すリゾルバ
+     */
+    private readonly \Closure $hostResolver;
+
+    /**
+     * @param HttpClientInterface          $httpClient   profile 取得クライアント
+     * @param (callable(string): (list<string>|false))|null $hostResolver A レコード解決器 (既定は gethostbynamel、テストで差し替え可)
+     */
+    public function __construct(
+        private readonly HttpClientInterface $httpClient,
+        ?callable $hostResolver = null,
+    ) {
+        $this->hostResolver = $hostResolver !== null
+            ? \Closure::fromCallable($hostResolver)
+            : gethostbynamel(...);
+    }
+
+    /**
+     * profile URL から signing_keys[] (JWK 配列) を取得する.
+     *
+     * @return list<array<string, mixed>> 公開鍵 JWK の配列
+     *
+     * @throws UcpSignatureException 取得失敗 / 文書不正 / 鍵が無い場合
+     */
+    public function fetchSigningKeys(string $profileUrl): array
+    {
+        if (parse_url($profileUrl, PHP_URL_SCHEME) !== 'https') {
+            throw new UcpSignatureException('Agent profile URL must be HTTPS.');
+        }
+
+        // SSRF 対策: profile URL は UCP-Agent ヘッダ由来 (エージェント供給) のため、
+        // 内部アドレスへの到達を HTTP リクエスト前に遮断する。許可ドメインリスト
+        // (UcpRequestSignatureVerifier 側) と併用する多層防御。
+        $host = parse_url($profileUrl, PHP_URL_HOST);
+        if (!is_string($host) || $host === '') {
+            throw new UcpSignatureException('Agent profile URL has no host.');
+        }
+        $this->assertPublicHost($host);
+
+        try {
+            $response = $this->httpClient->request('GET', $profileUrl, [
+                // 鍵探索ではリダイレクトを追従しない (なりすまし防止)。
+                'max_redirects' => 0,
+                'headers' => ['Accept' => 'application/json'],
+                // 応答が無いエージェント profile で署名検証がハングしないよう上限を設ける
+                // (timeout=接続/アイドル, max_duration=総時間)。
+                'timeout' => 5,
+                'max_duration' => 10,
+            ]);
+
+            if ($response->getStatusCode() !== 200) {
+                // 上流ステータスコードはそのまま返さない (内部探索のオラクルを避ける)。
+                throw new UcpSignatureException('Agent profile fetch did not return a successful response.');
+            }
+
+            /** @var array<string, mixed> $document */
+            $document = $response->toArray(false);
+        } catch (UcpSignatureException $e) {
+            throw $e;
+        } catch (HttpClientExceptionInterface|\JsonException $e) {
+            throw new UcpSignatureException('Failed to fetch or parse the agent profile.', 0, $e);
+        }
+
+        return $this->extractSigningKeys($document);
+    }
+
+    /**
+     * ホストが公開アドレスへ解決されることを確認する (loopback/RFC1918/link-local/reserved を拒否).
+     *
+     * SSRF 対策の中核。IP リテラルはそのまま、ドメインは A レコード解決後の全 IP を検査する。
+     * 注: 解決と HttpClient の名前解決の間の DNS rebinding は残存リスクであり、厳格な運用では
+     * UcpRequestSignatureVerifier のドメイン許可リスト併用を推奨する。IPv6 のみのホストは
+     * gethostbynamel() が解決できず fail-closed (拒否) となる。
+     */
+    private function assertPublicHost(string $host): void
+    {
+        // IP リテラル (v4/v6) はそのまま、ホスト名は A レコードを解決する。
+        $ips = filter_var($host, FILTER_VALIDATE_IP) !== false ? [$host] : (($this->hostResolver)($host) ?: []);
+        if ($ips === []) {
+            throw new UcpSignatureException('Agent profile host could not be resolved to a public address.');
+        }
+
+        foreach ($ips as $ip) {
+            if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
+                throw new UcpSignatureException('Agent profile host resolves to a non-public address.');
+            }
+        }
+    }
+
+    /**
+     * プロファイル文書から signing_keys[] を抽出する.
+     *
+     * @param array<string, mixed> $document
+     *
+     * @return list<array<string, mixed>>
+     */
+    private function extractSigningKeys(array $document): array
+    {
+        // signing_keys はラッパー直下、または ucp オブジェクト配下のいずれもあり得るため両対応。
+        $signingKeys = $document['signing_keys'] ?? null;
+        if (!is_array($signingKeys) && isset($document['ucp']) && is_array($document['ucp'])) {
+            $signingKeys = $document['ucp']['signing_keys'] ?? null;
+        }
+
+        if (!is_array($signingKeys) || $signingKeys === []) {
+            throw new UcpSignatureException('Agent profile does not advertise any signing_keys.');
+        }
+
+        $keys = [];
+        foreach ($signingKeys as $key) {
+            if (is_array($key) && isset($key['kty']) && $key['kty'] === 'EC') {
+                /** @var array<string, mixed> $key */
+                $keys[] = $key;
+            }
+        }
+
+        if ($keys === []) {
+            throw new UcpSignatureException('Agent profile has no EC public keys in signing_keys.');
+        }
+
+        return $keys;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpRequestSignatureVerifier.php b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpRequestSignatureVerifier.php
new file mode 100644
index 00000000000..945feca0f90
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpRequestSignatureVerifier.php
@@ -0,0 +1,266 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp\Signature;
+
+use Eccube\Service\AgentCommerce\Exception\UcpSignatureException;
+use phpseclib3\Crypt\EC\PublicKey;
+use phpseclib3\Crypt\PublicKeyLoader;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * UCP インバウンドリクエストの RFC 9421 HTTP Message Signatures 検証.
+ *
+ * UCP の標準インバウンド認証であり OAuth2/eccube-api4 に依存しない。検証手順:
+ * 1. `UCP-Agent` ヘッダから profile URL を解析し、ドメイン許可リストと照合する。
+ * 2. (ボディを伴う場合) `Content-Digest` を生ボディの SHA-256 と照合する。
+ * 3. `Signature-Input`/`Signature` を解析し、covered component から signature base を再構成する。
+ * 4. エージェントの profile から `signing_keys[]` を取得し、keyid で公開鍵を特定する。
+ * 5. ES256 (EC P-256) で署名を検証する。
+ *
+ * 署名は仕様上 MAY (代替認証も許容) のため、本検証は「署名が提示されていれば必須検証」とする
+ * present-then-verify 方針。署名が無いリクエストの扱い (拒否するか) は呼び出し側 (サブスクライバ) が
+ * 設定で決める。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP signatures.md (RFC 9421, ES256, Content-Digest, profile.signing_keys[])
+ * @see https://www.rfc-editor.org/rfc/rfc9421
+ */
+class UcpRequestSignatureVerifier
+{
+    /**
+     * @var list<string> 許可するエージェント profile ドメイン (空なら HTTPS である限り制限しない)
+     */
+    private readonly array $allowedDomains;
+
+    /**
+     * @param UcpProfileFetcher          $profileFetcher    エージェント公開鍵の取得元
+     * @param Rfc9421SignatureBaseBuilder $signatureBaseBuilder signature base 構築
+     * @param list<string>               $allowedDomains    許可ドメインのホスト名リスト
+     */
+    public function __construct(
+        private readonly UcpProfileFetcher $profileFetcher,
+        private readonly Rfc9421SignatureBaseBuilder $signatureBaseBuilder,
+        array $allowedDomains = [],
+    ) {
+        $this->allowedDomains = array_map(strtolower(...), $allowedDomains);
+    }
+
+    /**
+     * リクエストが RFC 9421 署名を提示しているか.
+     */
+    public function isSigned(Request $request): bool
+    {
+        return $request->headers->has('Signature') && $request->headers->has('Signature-Input');
+    }
+
+    /**
+     * リクエストの署名を検証する. 失敗時は例外を投げる.
+     *
+     * @return UcpAgentHeader 検証済みのエージェント情報
+     *
+     * @throws UcpSignatureException 署名欠落・不正・鍵不一致・Content-Digest 不一致・許可外ドメイン
+     */
+    public function verify(Request $request): UcpAgentHeader
+    {
+        $ucpAgentValue = $request->headers->get('UCP-Agent');
+        if ($ucpAgentValue === null || $ucpAgentValue === '') {
+            throw new UcpSignatureException('UCP-Agent header is required.');
+        }
+
+        try {
+            $agent = UcpAgentHeader::parse($ucpAgentValue);
+        } catch (\InvalidArgumentException $e) {
+            throw new UcpSignatureException($e->getMessage(), 0, $e);
+        }
+
+        $this->assertDomainAllowed($agent->host());
+
+        if (!$this->isSigned($request)) {
+            throw new UcpSignatureException('Signature and Signature-Input headers are required.');
+        }
+
+        $this->verifyContentDigest($request);
+
+        [$components, $signatureParams, $keyId] = $this->parseSignatureInput((string) $request->headers->get('Signature-Input'));
+        $rawSignature = $this->parseSignature((string) $request->headers->get('Signature'));
+
+        try {
+            $signatureBase = $this->signatureBaseBuilder->build($request, $components, $signatureParams);
+        } catch (\InvalidArgumentException $e) {
+            throw new UcpSignatureException($e->getMessage(), 0, $e);
+        }
+
+        $jwks = $this->profileFetcher->fetchSigningKeys($agent->profileUrl);
+        if (!$this->verifyAgainstKeys($signatureBase, $rawSignature, $jwks, $keyId)) {
+            throw new UcpSignatureException('RFC 9421 signature verification failed.');
+        }
+
+        return $agent;
+    }
+
+    private function assertDomainAllowed(string $host): void
+    {
+        if ($this->allowedDomains === []) {
+            return;
+        }
+
+        if (!in_array($host, $this->allowedDomains, true)) {
+            throw new UcpSignatureException(sprintf('Agent domain "%s" is not allowed.', $host));
+        }
+    }
+
+    /**
+     * Content-Digest を生ボディの SHA-256 と照合する (ボディが無ければスキップ).
+     */
+    private function verifyContentDigest(Request $request): void
+    {
+        $body = $request->getContent();
+        $header = $request->headers->get('Content-Digest');
+
+        if ($body === '' && $header === null) {
+            return;
+        }
+
+        if ($header === null) {
+            throw new UcpSignatureException('Content-Digest header is required for requests with a body.');
+        }
+
+        // 形式: sha-256=:<base64>:
+        if (!preg_match('/sha-256=:([^:]+):/', $header, $matches)) {
+            throw new UcpSignatureException('Content-Digest must use the sha-256 algorithm.');
+        }
+
+        $expected = base64_encode(hash('sha256', $body, true));
+        if (!hash_equals($expected, $matches[1])) {
+            throw new UcpSignatureException('Content-Digest does not match the request body.');
+        }
+    }
+
+    /**
+     * Signature-Input をパースして covered components / signature-params / keyid を返す.
+     *
+     * @return array{0: list<string>, 1: string, 2: ?string}
+     */
+    private function parseSignatureInput(string $headerValue): array
+    {
+        // 形式: <label>=("comp1" "comp2");param=...;keyid="..."。最初のラベルのみ対象とする。
+        if (!preg_match('/^[A-Za-z0-9_-]+=(\(.*)$/s', trim($headerValue), $matches)) {
+            throw new UcpSignatureException('Malformed Signature-Input header.');
+        }
+
+        $signatureParams = $matches[1];
+
+        if (!preg_match('/\((.*?)\)/', $signatureParams, $listMatch)) {
+            throw new UcpSignatureException('Signature-Input is missing the covered components list.');
+        }
+
+        preg_match_all('/"([^"]+)"/', $listMatch[1], $componentMatches);
+        $components = $componentMatches[1];
+        if ($components === []) {
+            throw new UcpSignatureException('Signature-Input declares no covered components.');
+        }
+
+        $keyId = null;
+        if (preg_match('/keyid="([^"]+)"/', $signatureParams, $keyMatch)) {
+            $keyId = $keyMatch[1];
+        }
+
+        return [$components, $signatureParams, $keyId];
+    }
+
+    /**
+     * Signature ヘッダから生の署名バイト列を取り出す.
+     */
+    private function parseSignature(string $headerValue): string
+    {
+        // 形式: <label>=:<base64>:。RFC 9421 の sf-binary は標準 base64。
+        if (!preg_match('/^[A-Za-z0-9_-]+=:([^:]+):/s', trim($headerValue), $matches)) {
+            throw new UcpSignatureException('Malformed Signature header.');
+        }
+
+        $raw = base64_decode($matches[1], true);
+        if ($raw === false || $raw === '') {
+            throw new UcpSignatureException('Signature value is not valid base64.');
+        }
+
+        return $raw;
+    }
+
+    /**
+     * 候補鍵 (keyid 一致を優先) に対して ES256 検証を試みる.
+     *
+     * @param list<array<string, mixed>> $jwks
+     */
+    private function verifyAgainstKeys(string $signatureBase, string $rawSignature, array $jwks, ?string $keyId): bool
+    {
+        $candidates = $jwks;
+        if ($keyId !== null) {
+            $matched = array_values(array_filter(
+                $jwks,
+                static fn (array $jwk): bool => ($jwk['kid'] ?? null) === $keyId
+            ));
+            if ($matched !== []) {
+                $candidates = $matched;
+            }
+        }
+
+        foreach ($candidates as $jwk) {
+            $publicKey = $this->loadPublicKey($jwk);
+            if ($publicKey === null) {
+                continue;
+            }
+
+            try {
+                $verified = $publicKey
+                    ->withSignatureFormat('IEEE')
+                    ->withHash('sha256')
+                    ->verify($signatureBase, $rawSignature);
+            } catch (\Throwable) {
+                continue;
+            }
+
+            if ($verified) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * EC 公開鍵 JWK を phpseclib の PublicKey へ読み込む.
+     *
+     * @param array<string, mixed> $jwk
+     */
+    private function loadPublicKey(array $jwk): ?PublicKey
+    {
+        if (($jwk['kty'] ?? null) !== 'EC' || !isset($jwk['x'], $jwk['y'], $jwk['crv'])) {
+            return null;
+        }
+
+        $json = json_encode([
+            'kty' => 'EC',
+            'crv' => $jwk['crv'],
+            'x' => $jwk['x'],
+            'y' => $jwk['y'],
+        ], JSON_UNESCAPED_SLASHES);
+
+        try {
+            $key = PublicKeyLoader::load((string) $json);
+        } catch (\Throwable) {
+            return null;
+        }
+
+        return $key instanceof PublicKey ? $key : null;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpSignatureSubscriber.php b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpSignatureSubscriber.php
new file mode 100644
index 00000000000..d1800aa3383
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/Signature/UcpSignatureSubscriber.php
@@ -0,0 +1,87 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp\Signature;
+
+use Eccube\Service\AgentCommerce\Exception\UcpSignatureException;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+/**
+ * UCP checkout ルートに RFC 9421 署名検証を適用するサブスクライバ.
+ *
+ * UCP のインバウンド認証は HTTP Message Signatures が標準であり、OAuth2/eccube-api4 に依存しない。
+ * 署名が提示されていれば必ず検証し (present-then-verify)、失敗時はプロトコル系エラー (HTTP 401) を返す。
+ * 署名が無いリクエストを拒否するか (`$requireSignature`) は設定で決める。GET (取得) は状態変更を
+ * 伴わないため署名必須対象から除外する (提示されていれば検証はする)。
+ *
+ * 検証成功時はエージェントの profile URL を request 属性 `ucp_agent_profile` に格納する。
+ */
+class UcpSignatureSubscriber implements EventSubscriberInterface
+{
+    public function __construct(
+        private readonly UcpRequestSignatureVerifier $verifier,
+        private readonly bool $requireSignature = false,
+    ) {
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            KernelEvents::CONTROLLER => 'onController',
+        ];
+    }
+
+    public function onController(ControllerEvent $event): void
+    {
+        $request = $event->getRequest();
+        $route = (string) $request->attributes->get('_route');
+        if (!str_starts_with($route, 'ucp_checkout_')) {
+            return;
+        }
+
+        $isStateChanging = !$request->isMethod('GET');
+        $isSigned = $this->verifier->isSigned($request);
+
+        if (!$isSigned) {
+            // 署名が無い場合: 状態変更操作かつ必須設定のときのみ拒否する。
+            if ($isStateChanging && $this->requireSignature) {
+                $this->reject($event, 'Request signature is required.');
+            }
+
+            return;
+        }
+
+        try {
+            $agent = $this->verifier->verify($request);
+        } catch (UcpSignatureException) {
+            // 内部エラー詳細 (鍵の問題・profile 取得失敗理由等) はクライアントへ露出させない。
+            $this->reject($event, 'Request signature verification failed.');
+
+            return;
+        }
+
+        $request->attributes->set('ucp_agent_profile', $agent->profileUrl);
+    }
+
+    private function reject(ControllerEvent $event, string $message): void
+    {
+        $event->setController(static fn (): JsonResponse => new JsonResponse(
+            ['code' => 'signature_invalid', 'content' => $message],
+            Response::HTTP_UNAUTHORIZED,
+        ));
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/UcpCheckoutSessionMapper.php b/src/Eccube/Service/AgentCommerce/Ucp/UcpCheckoutSessionMapper.php
new file mode 100644
index 00000000000..1852a4e9321
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/UcpCheckoutSessionMapper.php
@@ -0,0 +1,388 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp;
+
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Entity\Order;
+use Eccube\Repository\ProductClassRepository;
+use Eccube\Service\AgentCommerce\AddressMappingService;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutAddress;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutLineItem;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutRequest;
+use Eccube\Service\AgentCommerce\MinorUnitConverter;
+use Eccube\Service\AgentCommerce\StorefrontUrlResolver;
+
+/**
+ * UCP の REST ペイロード ↔ EC-CUBE の中立 DTO / レスポンスのマッピング.
+ *
+ * - リクエスト: UCP create/update の `line_items[].item.id`(=ProductClass id)・`quantity`、
+ *   `buyer`、`fulfillment` destination の postal address を {@link AgentCheckoutRequest} へ写す。
+ * - レスポンス: 再計算後の `Order` (または住所未確定時の暫定見積) から UCP checkout レスポンスを組み立てる。
+ *   金額は {@link MinorUnitConverter} で minor unit 整数化し、`totals` は spec の符号制約
+ *   (discount は負、subtotal/fulfillment/tax/fee は非負) に従う。代引手数料は `type:"fee"` 行に出す。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP checkout.json / checkout-rest.md (v2026-04-08)
+ */
+class UcpCheckoutSessionMapper
+{
+    /** UCP プロトコルバージョン (YYYY-MM-DD). */
+    public const UCP_VERSION = '2026-04-08';
+
+    public function __construct(
+        private readonly MinorUnitConverter $minorUnitConverter,
+        private readonly StorefrontUrlResolver $urlResolver,
+        private readonly UcpStatusMapper $statusMapper,
+        private readonly AddressMappingService $addressMappingService,
+        private readonly ProductClassRepository $productClassRepository,
+    ) {
+    }
+
+    /**
+     * UCP create/update ペイロードを中立リクエスト DTO へ変換する.
+     *
+     * @param array<string, mixed> $payload
+     */
+    public function toCheckoutRequest(array $payload, ?string $agentId): AgentCheckoutRequest
+    {
+        $lineItems = [];
+        $rawLineItems = $payload['line_items'] ?? [];
+        if (is_array($rawLineItems)) {
+            foreach ($rawLineItems as $rawLineItem) {
+                if (!is_array($rawLineItem)) {
+                    continue;
+                }
+                $itemId = $rawLineItem['item']['id'] ?? null;
+                $quantity = $rawLineItem['quantity'] ?? null;
+
+                $lineItems[] = new AgentCheckoutLineItem(
+                    is_numeric($itemId) ? (int) $itemId : 0,
+                    is_numeric($quantity) ? (int) $quantity : 0,
+                );
+            }
+        }
+
+        $currency = is_string($payload['currency'] ?? null) ? $payload['currency'] : 'JPY';
+
+        return new AgentCheckoutRequest(
+            $lineItems,
+            $this->extractAddress($payload),
+            $currency,
+            AgentProtocol::UCP,
+            $agentId,
+        );
+    }
+
+    /**
+     * 再計算済みの `Order` から UCP checkout レスポンスを組み立てる.
+     *
+     * @param list<array<string, mixed>> $ucpMessages
+     *
+     * @return array<string, mixed>
+     */
+    public function buildResponseFromOrder(CheckoutSession $session, Order $order, array $ucpMessages, ?string $continueUrl = null): array
+    {
+        $currency = $session->getCurrencyCode();
+
+        $response = $this->baseResponse($session, $ucpMessages);
+        $response['line_items'] = $this->lineItemsFromOrder($order, $currency);
+        $response['totals'] = $this->totalsFromOrder($order, $currency);
+
+        if ($continueUrl !== null) {
+            $response['continue_url'] = $continueUrl;
+        }
+
+        if ($session->getStatus()?->getId() === CheckoutSessionStatus::COMPLETED) {
+            $response['order'] = [
+                'id' => (string) ($order->getOrderNo() ?? $order->getId()),
+                'permalink_url' => $this->urlResolver->orderPermalinkUrl((string) ($order->getOrderNo() ?? $order->getId())),
+            ];
+        }
+
+        return $response;
+    }
+
+    /**
+     * 住所未確定 (Order 未生成) の暫定見積レスポンスを組み立てる.
+     *
+     * 商品単価から subtotal を算出し、total は subtotal と同値とする (送料・税は住所確定後に再計算)。
+     *
+     * @param list<array<string, mixed>> $ucpMessages
+     *
+     * @return array<string, mixed>
+     */
+    public function buildProvisionalResponse(CheckoutSession $session, AgentCheckoutRequest $request, array $ucpMessages): array
+    {
+        $currency = $session->getCurrencyCode();
+
+        $lineItems = [];
+        $subtotalMinor = 0;
+        foreach ($request->lineItems as $lineItem) {
+            $productClass = $this->productClassRepository->find($lineItem->productClassId);
+            if ($productClass === null) {
+                continue;
+            }
+            $unitMinor = $this->minorUnitConverter->toMinorUnits((string) $productClass->getPrice02IncTax(), $currency);
+            $lineTotalMinor = $unitMinor * $lineItem->quantity;
+            $subtotalMinor += $lineTotalMinor;
+
+            $lineItems[] = [
+                'id' => (string) $productClass->getId(),
+                'item' => [
+                    'id' => (string) $productClass->getId(),
+                    'title' => (string) $productClass->getProduct()?->getName(),
+                    'price' => $unitMinor,
+                ],
+                'quantity' => $lineItem->quantity,
+                'totals' => [
+                    ['type' => 'total', 'amount' => $lineTotalMinor],
+                ],
+            ];
+        }
+
+        $response = $this->baseResponse($session, $ucpMessages);
+        $response['line_items'] = $lineItems;
+        $response['totals'] = [
+            ['type' => 'subtotal', 'amount' => $subtotalMinor],
+            ['type' => 'total', 'amount' => $subtotalMinor],
+        ];
+
+        return $response;
+    }
+
+    /**
+     * レスポンスの共通骨格 (ucp/id/status/currency/links/messages/buyer/expires_at).
+     *
+     * @param list<array<string, mixed>> $ucpMessages
+     *
+     * @return array<string, mixed>
+     */
+    private function baseResponse(CheckoutSession $session, array $ucpMessages): array
+    {
+        $hasError = false;
+        foreach ($ucpMessages as $message) {
+            if (($message['type'] ?? null) === 'error') {
+                $hasError = true;
+                break;
+            }
+        }
+
+        $response = [
+            'ucp' => [
+                'version' => self::UCP_VERSION,
+                'status' => $hasError ? 'error' : 'success',
+            ],
+            'id' => $session->getSessionId(),
+            'status' => $this->statusMapper->toUcpStatus($session->getStatus()),
+            'currency' => $session->getCurrencyCode(),
+            'links' => [
+                ['type' => 'privacy_policy', 'url' => $this->urlResolver->privacyPolicyUrl()],
+                ['type' => 'terms_of_service', 'url' => $this->urlResolver->termsOfServiceUrl()],
+            ],
+        ];
+
+        if ($ucpMessages !== []) {
+            $response['messages'] = $ucpMessages;
+        }
+
+        $buyer = $this->buyerEcho($session);
+        if ($buyer !== []) {
+            $response['buyer'] = $buyer;
+        }
+
+        $expiresAt = $session->getExpiresAt();
+        if ($expiresAt !== null) {
+            $response['expires_at'] = $expiresAt->format(\DateTimeInterface::RFC3339);
+        }
+
+        return $response;
+    }
+
+    /**
+     * `Order` の明細 (商品行) を UCP line_items[] へ写す.
+     *
+     * @return list<array<string, mixed>>
+     */
+    private function lineItemsFromOrder(Order $order, string $currency): array
+    {
+        $lineItems = [];
+        foreach ($order->getOrderItems() as $orderItem) {
+            if (!$orderItem->isProduct()) {
+                continue;
+            }
+            $productClass = $orderItem->getProductClass();
+            $id = $productClass !== null ? (string) $productClass->getId() : (string) $orderItem->getId();
+
+            $lineItems[] = [
+                'id' => $id,
+                'item' => [
+                    'id' => $id,
+                    'title' => $orderItem->getProductName(),
+                    'price' => $this->minorUnitConverter->toMinorUnits((string) $orderItem->getPriceIncTax(), $currency),
+                ],
+                'quantity' => (int) $orderItem->getQuantity(),
+                'totals' => [
+                    ['type' => 'total', 'amount' => $this->minorUnitConverter->toMinorUnits((string) $orderItem->getTotalPrice(), $currency)],
+                ],
+            ];
+        }
+
+        return $lineItems;
+    }
+
+    /**
+     * `Order` の金額から UCP totals[] を組み立てる.
+     *
+     * subtotal と total は常に出力し、discount(負)/fulfillment/fee(代引手数料)/tax は非零のときのみ出力する。
+     *
+     * @return list<array<string, mixed>>
+     */
+    private function totalsFromOrder(Order $order, string $currency): array
+    {
+        $convert = fn (string $amount): int => $this->minorUnitConverter->toMinorUnits($amount, $currency);
+
+        $totals = [
+            ['type' => 'subtotal', 'amount' => $convert($order->getSubtotal())],
+        ];
+
+        $discount = $convert($order->getDiscount());
+        if ($discount !== 0) {
+            // UCP の discount は負の符号。
+            $totals[] = ['type' => 'discount', 'amount' => -abs($discount)];
+        }
+
+        $fulfillment = $convert($order->getDeliveryFeeTotal());
+        if ($fulfillment !== 0) {
+            $totals[] = ['type' => 'fulfillment', 'amount' => $fulfillment];
+        }
+
+        // 代引手数料 (Payment.charge を Order に集約済み) は fee 行に出す。
+        $fee = $convert($order->getCharge());
+        if ($fee !== 0) {
+            $totals[] = ['type' => 'fee', 'amount' => $fee];
+        }
+
+        $tax = $convert($order->getTax());
+        if ($tax !== 0) {
+            $totals[] = ['type' => 'tax', 'amount' => $tax];
+        }
+
+        $totals[] = ['type' => 'total', 'amount' => $convert($order->getPaymentTotal())];
+
+        return $totals;
+    }
+
+    /**
+     * セッションの buyer_data を UCP buyer ブロックへ写す (無ければ空配列).
+     *
+     * @return array<string, mixed>
+     */
+    private function buyerEcho(CheckoutSession $session): array
+    {
+        $buyerData = $session->getBuyerData();
+        if (!is_array($buyerData) || $buyerData === []) {
+            return [];
+        }
+
+        $buyer = [];
+        if (isset($buyerData['given_name'])) {
+            $buyer['first_name'] = (string) $buyerData['given_name'];
+        }
+        if (isset($buyerData['family_name'])) {
+            $buyer['last_name'] = (string) $buyerData['family_name'];
+        }
+        if (isset($buyerData['email'])) {
+            $buyer['email'] = (string) $buyerData['email'];
+        }
+        if (isset($buyerData['phone'])) {
+            $buyer['phone_number'] = (string) $buyerData['phone'];
+        }
+
+        return $buyer;
+    }
+
+    /**
+     * ペイロードから配送先住所 (buyer + fulfillment destination の postal address) を抽出する.
+     *
+     * buyer ブロックの氏名・連絡先と、fulfillment destination の postal address を統合する。
+     * 完全な fulfillment method/group negotiation は本実装では扱わず、最初の destination の
+     * postal address のみを解決する (それ以上は app/Customize の拡張余地)。
+     *
+     * @param array<string, mixed> $payload
+     */
+    private function extractAddress(array $payload): ?AgentCheckoutAddress
+    {
+        $buyer = is_array($payload['buyer'] ?? null) ? $payload['buyer'] : [];
+        $postal = $this->firstDestinationPostalAddress($payload);
+
+        // 配送先 (postal destination) が無ければ住所未確定とみなす (buyer 連絡先のみでは
+        // 送料計算ができないため)。住所は update で後追い提供できる (incomplete 経由)。
+        if ($postal === []) {
+            return null;
+        }
+
+        $givenName = $this->stringOrNull($buyer['first_name'] ?? $postal['first_name'] ?? null);
+        $familyName = $this->stringOrNull($buyer['last_name'] ?? $postal['last_name'] ?? null);
+
+        $pref = $this->addressMappingService->getPrefFromRegion($this->stringOrNull($postal['address_region'] ?? null));
+
+        return new AgentCheckoutAddress(
+            name01: $familyName,
+            name02: $givenName,
+            kana01: null,
+            kana02: null,
+            companyName: null,
+            postalCode: $this->stringOrNull($postal['postal_code'] ?? null),
+            prefId: $pref?->getId(),
+            addr01: $this->stringOrNull($postal['address_locality'] ?? null),
+            addr02: $this->stringOrNull($postal['street_address'] ?? null),
+            email: $this->stringOrNull($buyer['email'] ?? null),
+            phoneNumber: $this->stringOrNull($buyer['phone_number'] ?? $postal['phone_number'] ?? null),
+        );
+    }
+
+    /**
+     * fulfillment destination の最初の postal address を取り出す.
+     *
+     * `fulfillment.destinations[]` および `fulfillment.methods[].destinations[]` の双方を許容する。
+     *
+     * @param array<string, mixed> $payload
+     *
+     * @return array<string, mixed>
+     */
+    private function firstDestinationPostalAddress(array $payload): array
+    {
+        $fulfillment = $payload['fulfillment'] ?? null;
+        if (!is_array($fulfillment)) {
+            return [];
+        }
+
+        $destinations = [];
+        if (isset($fulfillment['destinations']) && is_array($fulfillment['destinations'])) {
+            $destinations = $fulfillment['destinations'];
+        } elseif (isset($fulfillment['methods'][0]['destinations']) && is_array($fulfillment['methods'][0]['destinations'])) {
+            $destinations = $fulfillment['methods'][0]['destinations'];
+        }
+
+        $first = $destinations[0] ?? null;
+
+        return is_array($first) ? $first : [];
+    }
+
+    private function stringOrNull(mixed $value): ?string
+    {
+        return is_string($value) && $value !== '' ? $value : null;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/UcpMessageMapper.php b/src/Eccube/Service/AgentCommerce/Ucp/UcpMessageMapper.php
new file mode 100644
index 00000000000..e4778edd928
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/UcpMessageMapper.php
@@ -0,0 +1,89 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp;
+
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessage;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessageLevel;
+
+/**
+ * 中立メッセージ ({@link AgentCheckoutMessage}) を UCP の messages[] 表現へ写す.
+ *
+ * UCP のビジネスロジックエラーは HTTP 200 + messages[] で表現する。各メッセージは
+ * `type` (error/warning/info) と、error は `severity` (recoverable/requires_buyer_input/
+ * requires_buyer_review/unrecoverable) を持つ。
+ *
+ * PurchaseFlow 由来のメッセージは自由文のため、標準では `severity: recoverable` (update で
+ * 再試行可能) とし、`code` は付与しない (UCP では optional)。`out_of_stock` 等の構造化コード付与は
+ * app/Customize での拡張余地とする。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP message_error.json (type, severity, content)
+ */
+class UcpMessageMapper
+{
+    /**
+     * 中立メッセージ群を UCP messages[] へ変換する.
+     *
+     * @param array<int, AgentCheckoutMessage> $messages
+     *
+     * @return list<array<string, mixed>>
+     */
+    public function toUcpMessages(array $messages): array
+    {
+        $result = [];
+        foreach ($messages as $message) {
+            $result[] = $this->toUcpMessage($message);
+        }
+
+        return $result;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function toUcpMessage(AgentCheckoutMessage $message): array
+    {
+        $entry = [
+            'type' => $message->level->value,
+            'content' => $message->message,
+            'content_type' => 'plain',
+        ];
+
+        // error のみ severity を付す。PurchaseFlow 由来は update での再入力で解消し得るため recoverable。
+        if ($message->level === AgentCheckoutMessageLevel::ERROR) {
+            $entry['severity'] = 'recoverable';
+        }
+
+        return $entry;
+    }
+
+    /**
+     * メッセージ群が requires_buyer_input/review 相当のエスカレーションを要するか.
+     *
+     * 標準では recoverable のみ生成するため常に false。エスカレーション (requires_escalation)
+     * 判定の拡張余地として seam を用意する。
+     *
+     * @param list<array<string, mixed>> $ucpMessages
+     */
+    public function requiresEscalation(array $ucpMessages): bool
+    {
+        foreach ($ucpMessages as $message) {
+            $severity = $message['severity'] ?? null;
+            if ($severity === 'requires_buyer_input' || $severity === 'requires_buyer_review') {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
diff --git a/src/Eccube/Service/AgentCommerce/Ucp/UcpStatusMapper.php b/src/Eccube/Service/AgentCommerce/Ucp/UcpStatusMapper.php
new file mode 100644
index 00000000000..1b699d93afe
--- /dev/null
+++ b/src/Eccube/Service/AgentCommerce/Ucp/UcpStatusMapper.php
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Service\AgentCommerce\Ucp;
+
+use Eccube\Entity\Master\CheckoutSessionStatus;
+
+/**
+ * EC-CUBE の正規化ステータスマスタ ↔ UCP の checkout status 語彙の境界変換.
+ *
+ * EC-CUBE はプロトコル横断の正規化ステータス (incomplete/ready/completed/canceled/expired) を
+ * マスタで保持する。UCP の正準語彙とは `ready` ↔ `ready_for_complete` が異なるため、
+ * 公開境界でのみ変換する (マスタは拡張しない方針)。
+ *
+ * 追加認証 / escalation 待ちの正規化ステータス `requires_action` は UCP の `requires_escalation` へ、
+ * 非同期決済確定待ちの `in_progress` は `complete_in_progress` へ変換する (#6777 の状態機械)。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP checkout.json (status enum)
+ */
+class UcpStatusMapper
+{
+    /**
+     * 正規化ステータスマスタ id を UCP の status 文字列へ変換する.
+     */
+    public function toUcpStatus(?CheckoutSessionStatus $status): string
+    {
+        return match ($status?->getId()) {
+            CheckoutSessionStatus::READY => 'ready_for_complete',
+            CheckoutSessionStatus::COMPLETED => 'completed',
+            CheckoutSessionStatus::CANCELED => 'canceled',
+            // expired は UCP の正準語彙に無いため、終端の canceled として表現する。
+            CheckoutSessionStatus::EXPIRED => 'canceled',
+            // 追加認証 / escalation 待ち (在庫を保持して再開 complete を待つ中間状態)。
+            CheckoutSessionStatus::REQUIRES_ACTION => 'requires_escalation',
+            // 非同期決済の確定待ち。
+            CheckoutSessionStatus::IN_PROGRESS => 'complete_in_progress',
+            default => 'incomplete',
+        };
+    }
+}
diff --git a/src/Eccube/Service/CartService.php b/src/Eccube/Service/CartService.php
index b529cc2c116..80e3b54bd9c 100644
--- a/src/Eccube/Service/CartService.php
+++ b/src/Eccube/Service/CartService.php
@@ -98,7 +98,9 @@ public function getCarts(bool $empty_delete = false): array
      */
     public function getPersistedCarts(): array
     {
-        return $this->cartRepository->findBy(['Customer' => $this->getUser()]);
+        // agent_owned (エージェントコマースの CheckoutSession 所有) のカートは
+        // Web ストアフロントの操作対象から除外する。
+        return $this->cartRepository->findBy(['Customer' => $this->getUser(), 'agent_owned' => false]);
     }
 
     /**
@@ -114,7 +116,7 @@ public function getSessionCarts(): array
             return [];
         }
 
-        return $this->cartRepository->findBy(['cart_key' => $cartKeys], ['id' => 'ASC']);
+        return $this->cartRepository->findBy(['cart_key' => $cartKeys, 'agent_owned' => false], ['id' => 'ASC']);
     }
 
     /**
diff --git a/src/Eccube/Service/PurchaseFlow/Processor/PreOrderIdValidator.php b/src/Eccube/Service/PurchaseFlow/Processor/PreOrderIdValidator.php
index 6212040044a..8e2f7fb8bc6 100644
--- a/src/Eccube/Service/PurchaseFlow/Processor/PreOrderIdValidator.php
+++ b/src/Eccube/Service/PurchaseFlow/Processor/PreOrderIdValidator.php
@@ -66,6 +66,14 @@ public function rollback(ItemHolderInterface $itemHolder, PurchaseContext $conte
             return;
         }
 
+        // エージェントコマース (ACP/UCP) の受注はセッションを持たない。操作中カートと受注の
+        // 紐付け・越境防止は CheckoutSession (推測不能な session_id + protocol 照合 +
+        // cart/order の pre_order_id 整合) が controller 層で担保するため、session 依存の
+        // 本チェックは適用外とする。
+        if ($itemHolder->getAgentProtocol() !== null) {
+            return;
+        }
+
         $Cart = $this->cartService->getCart();
 
         // CartがなければBad Requestエラー
diff --git a/tests/Eccube/Tests/Entity/CheckoutSessionTest.php b/tests/Eccube/Tests/Entity/CheckoutSessionTest.php
new file mode 100644
index 00000000000..e3e60436696
--- /dev/null
+++ b/tests/Eccube/Tests/Entity/CheckoutSessionTest.php
@@ -0,0 +1,201 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Entity;
+
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Entity\Order;
+use Eccube\Repository\CheckoutSessionRepository;
+use Eccube\Repository\Master\AgentProtocolRepository;
+use Eccube\Repository\Master\CheckoutSessionStatusRepository;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 2 (Doctrine) tests for CheckoutSession + Order の agent 区分値.
+ *
+ * - CheckoutSession の永続化・取得・状態遷移 (incomplete -> ready -> completed / canceled / expired)。
+ * - status / protocol が文字列でなくマスタ (CheckoutSessionStatus / AgentProtocol) への FK であること。
+ * - SaveEventSubscriber による create_date/update_date 自動付与。
+ * - json カラム (buyer_data 等) のラウンドトリップ。
+ * - 通常購入の Order で agent_protocol/agent_id が NULL である回帰確認。
+ */
+final class CheckoutSessionTest extends EccubeTestCase
+{
+    private ?CheckoutSessionRepository $checkoutSessionRepository = null;
+
+    private ?CheckoutSessionStatusRepository $statusRepository = null;
+
+    private ?AgentProtocolRepository $protocolRepository = null;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->checkoutSessionRepository = self::getContainer()->get(CheckoutSessionRepository::class);
+        $this->statusRepository = self::getContainer()->get(CheckoutSessionStatusRepository::class);
+        $this->protocolRepository = self::getContainer()->get(AgentProtocolRepository::class);
+    }
+
+    private function findStatus(int $id): CheckoutSessionStatus
+    {
+        /** @var CheckoutSessionStatus $status */
+        $status = $this->statusRepository->find($id);
+
+        return $status;
+    }
+
+    private function createSession(string $sessionId): CheckoutSession
+    {
+        $session = new CheckoutSession();
+        $session
+            ->setSessionId($sessionId)
+            ->setProtocol($this->protocolRepository->find(AgentProtocol::ACP))
+            ->setStatus($this->findStatus(CheckoutSessionStatus::INCOMPLETE))
+            ->setCurrencyCode('JPY')
+            ->setBuyerData(['family_name' => '山田', 'given_name' => '太郎'])
+            ->setMetadata(['acp_status' => 'not_ready_for_payment']);
+        $this->entityManager->persist($session);
+        $this->entityManager->flush();
+
+        return $session;
+    }
+
+    public function testPersistAssignsIdentifierAndTimestamps(): void
+    {
+        $session = $this->createSession('cs_test_persist');
+
+        $this->assertNotNull($session->getId(), '永続化で id が採番される');
+        $this->assertInstanceOf(\DateTime::class, $session->getCreateDate(), 'SaveEventSubscriber が create_date を自動付与する');
+        $this->assertInstanceOf(\DateTime::class, $session->getUpdateDate(), 'SaveEventSubscriber が update_date を自動付与する');
+        $this->assertSame(CheckoutSessionStatus::INCOMPLETE, $session->getStatus()?->getId(), '初期 status は incomplete マスタ');
+    }
+
+    public function testProtocolAndStatusAreMasterRelations(): void
+    {
+        $session = $this->createSession('cs_test_master');
+        $id = $session->getId();
+        $this->entityManager->clear();
+
+        /** @var CheckoutSession $reloaded */
+        $reloaded = $this->checkoutSessionRepository->find($id);
+
+        $this->assertInstanceOf(AgentProtocol::class, $reloaded->getProtocol(), 'protocol はマスタ AgentProtocol への FK');
+        $this->assertSame('acp', $reloaded->getProtocol()?->getName(), 'AgentProtocol の正準名は acp');
+        $this->assertInstanceOf(CheckoutSessionStatus::class, $reloaded->getStatus(), 'status はマスタ CheckoutSessionStatus への FK');
+        $this->assertSame('incomplete', $reloaded->getStatus()?->getName(), 'CheckoutSessionStatus の正準名は incomplete');
+    }
+
+    public function testFindOneBySessionId(): void
+    {
+        $this->createSession('cs_test_lookup');
+        $this->entityManager->clear();
+
+        $found = $this->checkoutSessionRepository->findOneBySessionId('cs_test_lookup');
+
+        $this->assertInstanceOf(CheckoutSession::class, $found, 'session_id で取得できる');
+        $this->assertSame('cs_test_lookup', $found->getSessionId());
+    }
+
+    public function testJsonColumnsRoundTrip(): void
+    {
+        $session = $this->createSession('cs_test_json');
+        $id = $session->getId();
+        $this->entityManager->clear();
+
+        /** @var CheckoutSession $reloaded */
+        $reloaded = $this->checkoutSessionRepository->find($id);
+
+        // MySQL のネイティブ JSON 型は格納時にオブジェクトのキー順序を保持しない
+        // (PostgreSQL/SQLite は保持)。buyer_data はキーで参照する map で順序に意味は
+        // ないため、順序非依存 (canonicalizing) でラウンドトリップを検証する。
+        $this->assertEqualsCanonicalizing(['family_name' => '山田', 'given_name' => '太郎'], $reloaded->getBuyerData(), 'json buyer_data がラウンドトリップする');
+        $this->assertSame(['acp_status' => 'not_ready_for_payment'], $reloaded->getMetadata(), 'json metadata がラウンドトリップする');
+        $this->assertNull($reloaded->getFulfillmentData(), '未設定の json カラムは null');
+    }
+
+    public function testStatusTransitions(): void
+    {
+        $session = $this->createSession('cs_test_status');
+
+        foreach ([
+            CheckoutSessionStatus::READY,
+            CheckoutSessionStatus::COMPLETED,
+        ] as $next) {
+            $session->setStatus($this->findStatus($next));
+            $this->entityManager->flush();
+            $this->assertSame($next, $session->getStatus()?->getId());
+        }
+
+        // canceled も正規化ステータスマスタとして保持できる。
+        $session->setStatus($this->findStatus(CheckoutSessionStatus::CANCELED));
+        $this->entityManager->flush();
+        $this->assertSame('canceled', $session->getStatus()?->getName(), 'canceled を正規化ステータスとして保持できる');
+    }
+
+    public function testIsExpired(): void
+    {
+        $session = $this->createSession('cs_test_expire');
+        $now = new \DateTime('2026-06-11 12:00:00');
+
+        $this->assertFalse($session->isExpired($now), 'expires_at 未設定なら期限切れにならない');
+
+        $session->setExpiresAt(new \DateTime('2026-06-11 11:59:59'));
+        $this->assertTrue($session->isExpired($now), 'expires_at を過ぎていれば期限切れ');
+
+        $session->setExpiresAt(new \DateTime('2026-06-11 12:00:01'));
+        $this->assertFalse($session->isExpired($now), 'expires_at が未来なら期限切れでない');
+
+        $session->setExpiresAt(new \DateTime('2026-06-11 12:00:00'));
+        $this->assertTrue($session->isExpired($now), 'expires_at と現在時刻が同値の境界は期限切れ扱い (<=)');
+    }
+
+    public function testFindExpiredExcludesTerminalStatuses(): void
+    {
+        $now = new \DateTime('2026-06-11 12:00:00');
+        $past = new \DateTime('2026-06-11 11:00:00');
+
+        $active = $this->createSession('cs_expired_active');
+        $active->setExpiresAt($past);
+
+        $completed = $this->createSession('cs_expired_completed');
+        $completed->setExpiresAt($past)->setStatus($this->findStatus(CheckoutSessionStatus::COMPLETED));
+        $this->entityManager->flush();
+
+        $expired = $this->checkoutSessionRepository->findExpired($now);
+        $sessionIds = array_map(static fn (CheckoutSession $s): string => $s->getSessionId(), $expired);
+
+        $this->assertContains('cs_expired_active', $sessionIds, '期限切れの未完了セッションは対象');
+        $this->assertNotContains('cs_expired_completed', $sessionIds, '完了済セッションはクリーンアップ対象外');
+    }
+
+    public function testNormalOrderHasNullAgentColumns(): void
+    {
+        // Order に追加した agent_protocol/agent_id が、通常購入相当の Order で NULL であることの回帰確認。
+        $order = new Order();
+
+        $this->assertNotInstanceOf(AgentProtocol::class, $order->getAgentProtocol(), '通常購入では agent_protocol は NULL');
+        $this->assertNull($order->getAgentId(), '通常購入では agent_id は NULL');
+    }
+
+    public function testOrderAgentColumnsAreSettable(): void
+    {
+        $order = new Order();
+        $order->setAgentProtocol($this->protocolRepository->find(AgentProtocol::ACP))->setAgentId('agent-123');
+
+        $this->assertSame('acp', $order->getAgentProtocol()?->getName());
+        $this->assertSame('agent-123', $order->getAgentId());
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/AddressMappingServiceTest.php b/tests/Eccube/Tests/Service/AgentCommerce/AddressMappingServiceTest.php
new file mode 100644
index 00000000000..ba98e0cbf15
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/AddressMappingServiceTest.php
@@ -0,0 +1,185 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce;
+
+use Eccube\Entity\Customer;
+use Eccube\Entity\Master\Country;
+use Eccube\Entity\Master\Pref;
+use Eccube\Entity\Shipping;
+use Eccube\Service\AgentCommerce\AddressMappingService;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 2 tests for AddressMappingService.
+ *
+ * 国コード変換はマスタ mtb_country_iso_code (CountryIsoCodeRepository) 経由になったため、
+ * fixtures を読み込んだ DB 上で検証する。ISO 3166-1 numeric (mtb_country.id) -> alpha-2 の
+ * 解決、mtb_country.csv の全 id がマスタで解決できること、姓名分離・DTO 整形を確認する。
+ */
+final class AddressMappingServiceTest extends EccubeTestCase
+{
+    private ?AddressMappingService $service = null;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        // AddressMappingService はまだ consumer が無く private では除去されるため、
+        // services_test.yaml で public 化してコンテナから取得する。
+        $this->service = self::getContainer()->get(AddressMappingService::class);
+    }
+
+    public function testGetAlpha2FromCountryIdKnownIds(): void
+    {
+        $this->assertSame('JP', $this->service->getAlpha2FromCountryId(392), 'ISO 3166-1 numeric 392 is Japan -> JP');
+        $this->assertSame('US', $this->service->getAlpha2FromCountryId(840), 'ISO 3166-1 numeric 840 is United States -> US');
+        $this->assertSame('GB', $this->service->getAlpha2FromCountryId(826), 'ISO 3166-1 numeric 826 is United Kingdom -> GB');
+        $this->assertSame('CN', $this->service->getAlpha2FromCountryId(156), 'ISO 3166-1 numeric 156 is China -> CN');
+        $this->assertSame('KR', $this->service->getAlpha2FromCountryId(410), 'ISO 3166-1 numeric 410 is Republic of Korea -> KR');
+        $this->assertSame('RU', $this->service->getAlpha2FromCountryId(643), 'ISO 3166-1 numeric 643 is Russia -> RU');
+    }
+
+    public function testGetAlpha2FromCountryIdNullAndUnknown(): void
+    {
+        $this->assertNull($this->service->getAlpha2FromCountryId(null), 'Null country id must yield null alpha-2');
+        $this->assertNull($this->service->getAlpha2FromCountryId(999), 'Unknown numeric id must yield null alpha-2 (no exception)');
+    }
+
+    /**
+     * mtb_country.csv に存在する全 numeric id が mtb_country_iso_code マスタで
+     * 非 null の alpha-2 に解決できること (どの国でも住所変換が破綻しない保証)。
+     */
+    public function testAllCountryIdsResolveViaMaster(): void
+    {
+        $ids = $this->loadCountryIdsFromCsv();
+        $this->assertNotEmpty($ids, 'mtb_country.csv must contain country rows for this assertion to be meaningful');
+
+        foreach ($ids as $id) {
+            $alpha2 = $this->service->getAlpha2FromCountryId($id);
+            $this->assertNotNull($alpha2, sprintf('mtb_country id %d must resolve to a non-null alpha-2 via mtb_country_iso_code', $id));
+            $this->assertMatchesRegularExpression('/^[A-Z]{2}$/', $alpha2, sprintf('mtb_country id %d must map to a two-letter uppercase alpha-2 code', $id));
+        }
+    }
+
+    public function testGetRegionFromPref(): void
+    {
+        $pref = new Pref();
+        $pref->setId(13);
+        $pref->setName('東京都');
+
+        $this->assertSame('東京都', $this->service->getRegionFromPref($pref), 'Region must be the prefecture name');
+        $this->assertNull($this->service->getRegionFromPref(null), 'Null prefecture must yield null region');
+    }
+
+    public function testToAddressArrayFromCustomerSplitsNameAndMapsCountry(): void
+    {
+        $country = new Country();
+        $country->setId(392);
+
+        $pref = new Pref();
+        $pref->setId(13);
+        $pref->setName('東京都');
+
+        $customer = new Customer();
+        $customer->setName01('山田');
+        $customer->setName02('太郎');
+        $customer->setKana01('ヤマダ');
+        $customer->setKana02('タロウ');
+        $customer->setCompanyName('株式会社テスト');
+        $customer->setPostalCode('1000001');
+        $customer->setPref($pref);
+        $customer->setAddr01('千代田区千代田');
+        $customer->setAddr02('1-1');
+        $customer->setCountry($country);
+        $customer->setPhoneNumber('0312345678');
+
+        $address = $this->service->toAddressArray($customer);
+
+        $this->assertSame('山田', $address['family_name'], 'family_name must come from name01');
+        $this->assertSame('太郎', $address['given_name'], 'given_name must come from name02');
+        $this->assertSame('ヤマダ', $address['family_name_kana'], 'family_name_kana must come from kana01');
+        $this->assertSame('タロウ', $address['given_name_kana'], 'given_name_kana must come from kana02');
+        $this->assertSame('株式会社テスト', $address['company'], 'company must come from company_name');
+        $this->assertSame('1000001', $address['postal_code'], 'postal_code must be mapped');
+        $this->assertSame('東京都', $address['region'], 'region must be the prefecture name');
+        $this->assertSame('千代田区千代田', $address['address1'], 'address1 must come from addr01');
+        $this->assertSame('1-1', $address['address2'], 'address2 must come from addr02');
+        $this->assertSame('JP', $address['country'], 'country must be alpha-2 resolved from Country.id (392 -> JP)');
+        $this->assertSame('0312345678', $address['phone'], 'phone must come from phone_number');
+    }
+
+    public function testToAddressArrayFromShipping(): void
+    {
+        $country = new Country();
+        $country->setId(840);
+
+        $pref = new Pref();
+        $pref->setId(1);
+        $pref->setName('北海道');
+
+        $shipping = new Shipping();
+        $shipping->setName01('佐藤');
+        $shipping->setName02('花子');
+        $shipping->setPostalCode('0600000');
+        $shipping->setPref($pref);
+        $shipping->setAddr01('札幌市中央区');
+        $shipping->setCountry($country);
+        $shipping->setPhoneNumber('0111234567');
+
+        $address = $this->service->toAddressArray($shipping);
+
+        $this->assertSame('佐藤', $address['family_name'], 'Shipping family_name must come from name01');
+        $this->assertSame('花子', $address['given_name'], 'Shipping given_name must come from name02');
+        $this->assertSame('北海道', $address['region'], 'Shipping region must be the prefecture name');
+        $this->assertSame('US', $address['country'], 'Shipping country must be alpha-2 resolved from Country.id (840 -> US)');
+        $this->assertSame('0111234567', $address['phone'], 'Shipping phone must come from phone_number');
+    }
+
+    public function testToAddressArrayWithNullCountryAndPref(): void
+    {
+        $customer = new Customer();
+        $customer->setName01('田中');
+        $customer->setName02('一郎');
+
+        $address = $this->service->toAddressArray($customer);
+
+        $this->assertSame('田中', $address['family_name'], 'family_name must be mapped even when country/pref are null');
+        $this->assertNull($address['country'], 'Null Country must yield null country alpha-2');
+        $this->assertNull($address['region'], 'Null Pref must yield null region');
+    }
+
+    /**
+     * @return int[]
+     */
+    private function loadCountryIdsFromCsv(): array
+    {
+        $csvPath = __DIR__.'/../../../../../src/Eccube/Resource/doctrine/import_csv/ja/mtb_country.csv';
+        $this->assertFileExists($csvPath, 'mtb_country.csv must exist at the expected resource path');
+
+        $ids = [];
+        $handle = fopen($csvPath, 'r');
+        $this->assertIsResource($handle, 'mtb_country.csv must be readable');
+        fgetcsv($handle, null, ',', '"', ''); // skip header row
+        while (($row = fgetcsv($handle, null, ',', '"', '')) !== false) {
+            if (!isset($row[0]) || $row[0] === '') {
+                continue;
+            }
+            $ids[] = (int) $row[0];
+        }
+        fclose($handle);
+
+        return $ids;
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/AgentCheckoutPurchaseFlowAdapterTest.php b/tests/Eccube/Tests/Service/AgentCommerce/AgentCheckoutPurchaseFlowAdapterTest.php
new file mode 100644
index 00000000000..ffa948fda80
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/AgentCheckoutPurchaseFlowAdapterTest.php
@@ -0,0 +1,257 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce;
+
+use Eccube\Entity\Cart;
+use Eccube\Entity\Customer;
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Entity\ProductClass;
+use Eccube\Repository\CartRepository;
+use Eccube\Service\AgentCommerce\AgentCheckoutPurchaseFlowAdapter;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutAddress;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutLineItem;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutRequest;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutErrorCode;
+use Eccube\Service\AgentCommerce\Exception\AgentCheckoutException;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 3 (PurchaseFlow 連携) tests for AgentCheckoutPurchaseFlowAdapter.
+ *
+ * 中立 DTO -> Cart(永続) -> Order -> shopping flow 再計算 -> 結果 の経路を、
+ * fixtures を読み込んだ DB 上で検証する。ゲスト購入を基準線とし、税・送料・手数料が
+ * 既存 shopping flow で計算されること、ビジネス系結果 (在庫超過) が例外でなく
+ * messages[] に反映されること、プロトコル系エラーが例外になることを確認する。
+ */
+final class AgentCheckoutPurchaseFlowAdapterTest extends EccubeTestCase
+{
+    private ?AgentCheckoutPurchaseFlowAdapter $adapter = null;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->adapter = self::getContainer()->get(AgentCheckoutPurchaseFlowAdapter::class);
+    }
+
+    private function guestAddress(): AgentCheckoutAddress
+    {
+        return new AgentCheckoutAddress(
+            name01: '山田',
+            name02: '太郎',
+            kana01: 'ヤマダ',
+            kana02: 'タロウ',
+            postalCode: '5300001',
+            prefId: 27, // 大阪府
+            addr01: '大阪市北区',
+            addr02: '梅田1-1-1',
+            email: 'agent-guest@example.com',
+            phoneNumber: '0612345678',
+        );
+    }
+
+    private function createPurchasableProductClass(string $stock = '100'): ProductClass
+    {
+        $Product = $this->createProduct('エージェント注文テスト商品', 1);
+        /** @var ProductClass $ProductClass */
+        $ProductClass = $Product->getProductClasses()[0];
+        $ProductClass->setStock($stock);
+        $ProductClass->setStockUnlimited(false);
+        $this->entityManager->flush();
+
+        return $ProductClass;
+    }
+
+    public function testBuildOrderComputesTotalsForGuest(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem((int) $ProductClass->getId(), 2)],
+            buyer: $this->guestAddress(),
+            currencyCode: 'JPY',
+            protocolId: AgentProtocol::ACP,
+            agentId: 'agent-xyz',
+        );
+
+        $result = $this->adapter->buildOrder($request);
+        $Order = $result->order;
+
+        $this->assertFalse($result->hasError(), '在庫十分なゲスト注文ではエラーメッセージは出ない');
+        $this->assertSame('acp', $Order->getAgentProtocol()?->getName(), 'agent_protocol マスタが Order に刻まれる');
+        $this->assertSame('agent-xyz', $Order->getAgentId(), 'agent_id が Order に刻まれる');
+        $this->assertNotInstanceOf(Customer::class, $Order->getCustomer(), 'ゲスト購入では Order.Customer は null');
+        $this->assertSame('山田', $Order->getName01(), 'buyer 住所が Order にコピーされる');
+
+        // 明細が DTO 通り (単価 = price02 / 数量 = 2) に構築されていること。
+        $productItems = $Order->getProductOrderItems();
+        $this->assertCount(1, $productItems, '商品明細は 1 行');
+        $this->assertSame(2, (int) $productItems[0]->getQuantity(), '数量が DTO の通り反映される');
+        $this->assertSame(0, bccomp((string) $productItems[0]->getPrice(), (string) $ProductClass->getPrice02(), 2), '明細単価は price02');
+        // shopping flow が税・送料・手数料込みの支払総額を計算していること。
+        $this->assertGreaterThan(0, (int) $Order->getPaymentTotal(), 'shopping flow で支払総額 (税送料込) が計算される');
+    }
+
+    public function testPrepareThenCommitFinalizesOrder(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem((int) $ProductClass->getId(), 1)],
+            buyer: $this->guestAddress(),
+            protocolId: AgentProtocol::ACP,
+        );
+
+        $Order = $this->adapter->buildOrder($request)->order;
+
+        // PurchaseFlow の悲観ロック (StockReduceProcessor) のためトランザクションを張る。
+        // 通常購入の ShoppingController と同様、トランザクション境界は呼び出し側 (決済
+        // オーケストレーション層) が管理し、Adapter 自身は開始しない。
+        $this->entityManager->beginTransaction();
+        try {
+            // prepare = 在庫引当・受注番号採番 (決済オーソリの「前」, PaymentMethod::apply 相当)。
+            $prepareResult = $this->adapter->prepare($Order);
+            $this->assertFalse($prepareResult->hasError(), 'prepare でエラーが出ない');
+            $this->assertNotNull($Order->getOrderNo(), 'prepare で受注番号が採番される');
+
+            // commit = 確定 (決済オーソリ成功後, PaymentMethod::checkout 成功時相当)。
+            $this->adapter->commit($Order);
+            $this->entityManager->commit();
+        } catch (\Throwable $e) {
+            $this->entityManager->rollback();
+
+            throw $e;
+        }
+
+        $this->assertNotNull($Order->getOrderNo(), 'commit 後も受注番号が保持される');
+    }
+
+    public function testRollbackRestoresStockAfterPrepare(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('10');
+        $ProductStock = $ProductClass->getProductStock();
+        $initialStock = (int) $ProductStock->getStock();
+
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem((int) $ProductClass->getId(), 3)],
+            buyer: $this->guestAddress(),
+            protocolId: AgentProtocol::ACP,
+        );
+
+        $Order = $this->adapter->buildOrder($request)->order;
+
+        $this->entityManager->beginTransaction();
+        try {
+            // prepare で在庫を 3 引き当て、決済失敗を想定して rollback で戻す。
+            $this->adapter->prepare($Order);
+            $this->adapter->rollback($Order);
+            $this->entityManager->commit();
+        } catch (\Throwable $e) {
+            $this->entityManager->rollback();
+
+            throw $e;
+        }
+
+        $this->entityManager->refresh($ProductStock);
+        $this->assertSame($initialStock, (int) $ProductStock->getStock(), 'rollback で在庫が prepare 前に戻る (決済失敗時)');
+    }
+
+    public function testAgentCartIsIsolatedFromWebStorefront(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem((int) $ProductClass->getId(), 1)],
+            buyer: $this->guestAddress(),
+            protocolId: AgentProtocol::ACP,
+        );
+
+        $this->adapter->buildOrder($request);
+        // buildOrder が生成した agent_owned カートを cartRepository から特定する。
+        $cartRepository = self::getContainer()->get(CartRepository::class);
+
+        $agentCarts = $cartRepository->findBy(['agent_owned' => true]);
+        $this->assertNotEmpty($agentCarts, 'エージェント生成カートは agent_owned=true で保存される');
+        foreach ($agentCarts as $agentCart) {
+            $this->assertTrue($agentCart->isAgentOwned(), 'agent_owned フラグが立つ');
+            $this->assertNull($agentCart->getCustomer(), 'エージェントカートの customer_id は常に NULL (会員帰属は Order 側)');
+        }
+
+        // CartService が Web カート解決に用いる検索条件 (agent_owned=false) では拾われないこと。
+        $webVisible = $cartRepository->findBy(['agent_owned' => false]);
+        $webVisibleIds = array_map(static fn (Cart $c): ?int => $c->getId(), $webVisible);
+        foreach ($agentCarts as $agentCart) {
+            $this->assertNotContains($agentCart->getId(), $webVisibleIds, 'エージェントカートは Web 解決条件 (agent_owned=false) に含まれない');
+        }
+    }
+
+    public function testOverStockSurfacesAsMessageNotException(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('1');
+
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem((int) $ProductClass->getId(), 5)],
+            buyer: $this->guestAddress(),
+            protocolId: AgentProtocol::ACP,
+        );
+
+        // 在庫超過は例外でなく messages[] (ビジネス系) として返る。
+        $result = $this->adapter->buildOrder($request);
+
+        $this->assertNotEmpty($result->messages, '在庫超過は messages[] に反映される (HTTP 200 + messages[] 系統)');
+    }
+
+    public function testEmptyLineItemsThrows(): void
+    {
+        $request = new AgentCheckoutRequest(lineItems: [], buyer: $this->guestAddress());
+
+        try {
+            $this->adapter->buildOrder($request);
+            self::fail('空明細は AgentCheckoutException を投げる');
+        } catch (AgentCheckoutException $e) {
+            $this->assertSame(AgentCheckoutErrorCode::EMPTY_LINE_ITEMS, $e->getErrorCode());
+        }
+    }
+
+    public function testUnknownProductThrows(): void
+    {
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem(999999999, 1)],
+            buyer: $this->guestAddress(),
+        );
+
+        try {
+            $this->adapter->buildOrder($request);
+            self::fail('未知の商品参照は AgentCheckoutException を投げる');
+        } catch (AgentCheckoutException $e) {
+            $this->assertSame(AgentCheckoutErrorCode::PRODUCT_NOT_FOUND, $e->getErrorCode());
+        }
+    }
+
+    public function testGuestWithoutAddressThrows(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem((int) $ProductClass->getId(), 1)],
+        );
+
+        try {
+            $this->adapter->buildOrder($request);
+            self::fail('ゲストで住所が無い場合は AgentCheckoutException を投げる');
+        } catch (AgentCheckoutException $e) {
+            $this->assertSame(AgentCheckoutErrorCode::MISSING_ADDRESS, $e->getErrorCode());
+        }
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/BaseInfoAgentCommerceFlagsTest.php b/tests/Eccube/Tests/Service/AgentCommerce/BaseInfoAgentCommerceFlagsTest.php
new file mode 100644
index 00000000000..9fba0ecc1b1
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/BaseInfoAgentCommerceFlagsTest.php
@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce;
+
+use Eccube\Entity\BaseInfo;
+use Eccube\Repository\BaseInfoRepository;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 2 (Doctrine) tests for the agent-commerce BaseInfo flags.
+ *
+ * Verifies that the enable flags (acp_checkout_enabled / ucp_checkout_enabled /
+ * ucp_catalog_requires_auth) default to false for both the persisted BaseInfo
+ * (id=1) and a freshly constructed instance, matching the "default false / off
+ * by default" contract from the base plan.
+ *
+ * Discovery / catalog are always public (no flag); only checkout and the future
+ * catalog auth mode are gated by these flags.
+ */
+final class BaseInfoAgentCommerceFlagsTest extends EccubeTestCase
+{
+    /** @var string[] The enable flags that MUST default to false. */
+    private const FLAG_PROPERTIES = [
+        'acp_checkout_enabled',
+        'ucp_checkout_enabled',
+        'ucp_catalog_requires_auth',
+    ];
+
+    public function testPersistedBaseInfoFlagsDefaultToFalse(): void
+    {
+        $BaseInfo = static::getContainer()->get(BaseInfoRepository::class)->get();
+
+        foreach (self::FLAG_PROPERTIES as $property) {
+            $value = $this->readBooleanFlag($BaseInfo, $property);
+            $this->assertFalse($value, sprintf('BaseInfo flag "%s" must default to false (off by default)', $property));
+        }
+    }
+
+    public function testNewBaseInfoFlagsDefaultToFalse(): void
+    {
+        $BaseInfo = new BaseInfo();
+
+        foreach (self::FLAG_PROPERTIES as $property) {
+            $value = $this->readBooleanFlag($BaseInfo, $property);
+            $this->assertFalse($value, sprintf('A freshly constructed BaseInfo must report "%s" as false', $property));
+        }
+    }
+
+    private function readBooleanFlag(BaseInfo $BaseInfo, string $property): bool
+    {
+        $studly = str_replace('_', '', ucwords($property, '_'));
+        foreach (['is'.$studly, 'get'.$studly] as $getter) {
+            if (method_exists($BaseInfo, $getter)) {
+                $value = $BaseInfo->{$getter}();
+                // null を (bool) で false に丸めると「default false」契約を取りこぼすため bool 型を厳密に要求する。
+                $this->assertIsBool($value, sprintf('%s() must return bool (got %s)', $getter, get_debug_type($value)));
+
+                return $value;
+            }
+        }
+
+        self::fail(sprintf('BaseInfo must expose a getter (is%1$s or get%1$s) for the "%2$s" flag', $studly, $property));
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionServiceTest.php b/tests/Eccube/Tests/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionServiceTest.php
new file mode 100644
index 00000000000..66658f31b47
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/CheckoutSession/AgentCheckoutCompletionServiceTest.php
@@ -0,0 +1,325 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\CheckoutSession;
+
+use Eccube\Entity\CheckoutSession;
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Entity\Order;
+use Eccube\Entity\ProductClass;
+use Eccube\Entity\ProductStock;
+use Eccube\Repository\CheckoutSessionRepository;
+use Eccube\Repository\Master\CheckoutSessionStatusRepository;
+use Eccube\Service\AgentCommerce\AgentCheckoutPurchaseFlowAdapter;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutAddress;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutCompletionService;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutLineItem;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutRequest;
+use Eccube\Service\AgentCommerce\CheckoutSession\GuestCustomerResolver;
+use Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerInterface;
+use Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerRegistry;
+use Eccube\Service\AgentCommerce\Payment\PaymentOutcome;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 3 (complete 状態機械) tests for AgentCheckoutCompletionService.
+ *
+ * 「中断 → 再開」の状態機械を、決済ハンドラスタブの {@link PaymentOutcome} を切り替えて検証する:
+ * frictionless / challenge→再開 / declined→rollback / 冪等性 / 非同期(PENDING)→再開 /
+ * 期限切れ回収。在庫引当の保持・回収と CheckoutSession の正規化ステータス遷移を確認する。
+ */
+final class AgentCheckoutCompletionServiceTest extends EccubeTestCase
+{
+    private ?AgentCheckoutPurchaseFlowAdapter $adapter = null;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->adapter = self::getContainer()->get(AgentCheckoutPurchaseFlowAdapter::class);
+    }
+
+    public function testFrictionlessAuthorizeThenCapturePlacesOrder(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $stock = $ProductClass->getProductStock();
+        $session = $this->createReadySession($ProductClass, 2);
+
+        $handler = $this->stubHandler([PaymentOutcome::completed('auth_1')], PaymentOutcome::completed('cap_1'));
+        $result = $this->service($handler)->complete($session, []);
+
+        $this->assertSame(CheckoutSessionStatus::COMPLETED, $result->status->getId(), 'frictionless で completed へ遷移する');
+        $this->assertInstanceOf(Order::class, $result->order, 'completed 時は Order が返る');
+        $this->assertSame(CheckoutSessionStatus::COMPLETED, $session->getStatus()?->getId());
+
+        $this->entityManager->refresh($stock);
+        $this->assertInstanceOf(ProductStock::class, $stock);
+        $this->assertSame(98, (int) $stock->getStock(), '在庫が 2 引き当てられて確定する');
+    }
+
+    public function testChallengeHoldsStockThenResumeCompletes(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $stock = $ProductClass->getProductStock();
+        $session = $this->createReadySession($ProductClass, 2);
+
+        // authorize: 1 回目 REQUIRES_ACTION (3DS challenge) → 2 回目 COMPLETED (再開)。
+        $handler = $this->stubHandler(
+            [PaymentOutcome::requiresAction(['continue_url' => 'https://example.com/3ds/abc']), PaymentOutcome::completed('auth_2')],
+            PaymentOutcome::completed('cap_1'),
+        );
+        $service = $this->service($handler);
+
+        // 初回 complete: 追加認証待ち。在庫は引き当てたまま保持し、Order は未確定。
+        $first = $service->complete($session, []);
+        $this->assertSame(CheckoutSessionStatus::REQUIRES_ACTION, $first->status->getId(), '3DS challenge は requires_action (エラーでない)');
+        $this->assertNotInstanceOf(Order::class, $first->order, 'requires_action では Order は未確定');
+        $this->assertSame(['continue_url' => 'https://example.com/3ds/abc'], $first->actionData, 'actionData に continue_url 原資が載る');
+        $this->assertInstanceOf(\DateTime::class, $session->getExpiresAt(), 'requires_action で在庫確保期限 (expires_at) が設定される');
+        $this->assertGreaterThan(new \DateTime(), $session->getExpiresAt(), 'expires_at は将来 (在庫確保期限)');
+
+        $this->entityManager->refresh($stock);
+        $this->assertInstanceOf(ProductStock::class, $stock);
+        $this->assertSame(98, (int) $stock->getStock(), 'requires_action 中も在庫は引当のまま保持される (rollback しない)');
+
+        // 再開 complete: authentication_result を受けて確定。再 prepare せず authorize→capture→commit。
+        $second = $service->complete($session, ['authentication_result' => ['outcome' => 'authenticated']]);
+        $this->assertSame(CheckoutSessionStatus::COMPLETED, $second->status->getId(), '再開で completed へ遷移');
+        $this->assertInstanceOf(Order::class, $second->order);
+
+        $this->entityManager->refresh($stock);
+        $this->assertSame(98, (int) $stock->getStock(), '再開確定後も在庫は二重に減らない');
+    }
+
+    public function testDeclinedRetryableRollsBackStockAndReturnsToReady(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('10');
+        $stock = $ProductClass->getProductStock();
+        $session = $this->createReadySession($ProductClass, 3);
+
+        $handler = $this->stubHandler([PaymentOutcome::failed('payment_declined', 'Card declined.', true)]);
+        $result = $this->service($handler)->complete($session, []);
+
+        $this->assertSame(CheckoutSessionStatus::READY, $result->status->getId(), 'retryable な決済失敗は ready に戻す (再 complete 可)');
+        $this->assertNotInstanceOf(Order::class, $result->order, '失敗時は Order を確定しない');
+        $this->assertNotEmpty($result->messages, '決済失敗はビジネス系メッセージで返る');
+
+        $this->entityManager->refresh($stock);
+        $this->assertInstanceOf(ProductStock::class, $stock);
+        $this->assertSame(10, (int) $stock->getStock(), '決済失敗で引当をロールバックし在庫が戻る');
+    }
+
+    public function testDeclinedNonRetryableCancelsSession(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('10');
+        $session = $this->createReadySession($ProductClass, 1);
+
+        $handler = $this->stubHandler([PaymentOutcome::failed('fraud_blocked', 'Blocked.', false)]);
+        $result = $this->service($handler)->complete($session, []);
+
+        $this->assertSame(CheckoutSessionStatus::CANCELED, $result->status->getId(), 'unrecoverable な決済失敗は canceled');
+    }
+
+    public function testCompletedSessionIsIdempotentOnReplay(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $stock = $ProductClass->getProductStock();
+        $session = $this->createReadySession($ProductClass, 2);
+
+        $handler = $this->stubHandler([PaymentOutcome::completed('auth_1')], PaymentOutcome::completed('cap_1'));
+        $service = $this->service($handler);
+
+        $first = $service->complete($session, []);
+        $this->assertSame(CheckoutSessionStatus::COMPLETED, $first->status->getId());
+        $this->entityManager->refresh($stock);
+        $this->assertInstanceOf(ProductStock::class, $stock);
+        $this->assertSame(98, (int) $stock->getStock());
+        $orderId = $first->order?->getId();
+
+        // 完了済セッションの再 complete は副作用 (採番・在庫引当・与信) を再実行しない (ACP MUST)。
+        $replay = $service->complete($session, []);
+        $this->assertSame(CheckoutSessionStatus::COMPLETED, $replay->status->getId(), '再 complete も completed のまま');
+        $this->assertSame($orderId, $replay->order?->getId(), '同一 Order を返す');
+        $this->assertSame(1, $handler->authorizeCount, 'リプレイで authorize は再実行されない');
+        $this->assertSame(1, $handler->captureCount, 'リプレイで capture は再実行されない');
+
+        $this->entityManager->refresh($stock);
+        $this->assertSame(98, (int) $stock->getStock(), 'リプレイで在庫が二重に減らない');
+    }
+
+    public function testPendingHoldsAsInProgressThenResumeCompletes(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $stock = $ProductClass->getProductStock();
+        $session = $this->createReadySession($ProductClass, 1);
+
+        // authorize: 1 回目 PENDING (非同期) → 2 回目 COMPLETED (IPN/Webhook 受信後の再開)。
+        $handler = $this->stubHandler(
+            [PaymentOutcome::pending(['psp_ref' => 'pi_123']), PaymentOutcome::completed('auth_2')],
+            PaymentOutcome::completed('cap_1'),
+        );
+        $service = $this->service($handler);
+
+        $first = $service->complete($session, []);
+        $this->assertSame(CheckoutSessionStatus::IN_PROGRESS, $first->status->getId(), 'PENDING は in_progress で保持');
+        $this->entityManager->refresh($stock);
+        $this->assertInstanceOf(ProductStock::class, $stock);
+        $this->assertSame(99, (int) $stock->getStock(), 'in_progress 中も在庫は保持');
+
+        $second = $service->complete($session, []);
+        $this->assertSame(CheckoutSessionStatus::COMPLETED, $second->status->getId(), 'IPN/Webhook 相当の再開で completed');
+    }
+
+    public function testExpiredRequiresActionSessionIsReclaimable(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $session = $this->createReadySession($ProductClass, 1);
+
+        $handler = $this->stubHandler([PaymentOutcome::requiresAction(['continue_url' => 'https://example.com/3ds'])]);
+        $this->service($handler)->complete($session, []);
+        $this->assertSame(CheckoutSessionStatus::REQUIRES_ACTION, $session->getStatus()?->getId());
+
+        // 在庫確保期限を過去に倒して、期限切れ回収 (findExpired) の対象になることを確認する。
+        $session->setExpiresAt((new \DateTime())->modify('-1 minutes'));
+        $this->entityManager->flush();
+
+        /** @var CheckoutSessionRepository $repository */
+        $repository = $this->entityManager->getRepository(CheckoutSession::class);
+        $expired = $repository->findExpired(new \DateTime());
+        $ids = array_map(static fn (CheckoutSession $s): ?int => $s->getId(), $expired);
+        $this->assertContains($session->getId(), $ids, 'requires_action は非終端のため期限切れ回収の対象に含まれる');
+    }
+
+    /**
+     * Order を構築済みの ready なセッションを作る.
+     */
+    private function createReadySession(ProductClass $ProductClass, int $quantity): CheckoutSession
+    {
+        $request = new AgentCheckoutRequest(
+            lineItems: [new AgentCheckoutLineItem((int) $ProductClass->getId(), $quantity)],
+            buyer: $this->guestAddress(),
+            protocolId: AgentProtocol::ACP,
+        );
+        $order = $this->adapter->buildOrder($request)->order;
+
+        $session = new CheckoutSession();
+        $session
+            ->setSessionId('cs_'.bin2hex(random_bytes(8)))
+            ->setOrder($order)
+            ->setCurrencyCode('JPY')
+            ->setStatus($this->statusMaster(CheckoutSessionStatus::READY));
+        $this->entityManager->persist($session);
+        $this->entityManager->flush();
+
+        return $session;
+    }
+
+    private function statusMaster(int $id): CheckoutSessionStatus
+    {
+        $status = $this->entityManager->getRepository(CheckoutSessionStatus::class)->find($id);
+        $this->assertInstanceOf(CheckoutSessionStatus::class, $status);
+
+        return $status;
+    }
+
+    private function service(AgentCheckoutPaymentHandlerInterface ...$handlers): AgentCheckoutCompletionService
+    {
+        /** @var CheckoutSessionStatusRepository $statusRepository */
+        $statusRepository = $this->entityManager->getRepository(CheckoutSessionStatus::class);
+
+        return new AgentCheckoutCompletionService(
+            $this->entityManager,
+            self::getContainer()->get(AgentCheckoutPurchaseFlowAdapter::class),
+            new AgentCheckoutPaymentHandlerRegistry($handlers),
+            $statusRepository,
+            self::getContainer()->get(GuestCustomerResolver::class),
+            15,
+        );
+    }
+
+    /**
+     * 設定可能な決済ハンドラスタブ.
+     *
+     * @param array<int, PaymentOutcome> $authorizeOutcomes authorize の戻り値 (呼び出し順に消費・末尾を反復)
+     */
+    private function stubHandler(array $authorizeOutcomes, ?PaymentOutcome $captureOutcome = null): AgentCheckoutPaymentHandlerInterface
+    {
+        return new class($authorizeOutcomes, $captureOutcome) implements AgentCheckoutPaymentHandlerInterface {
+            public int $authorizeCount = 0;
+
+            public int $captureCount = 0;
+
+            /**
+             * @param array<int, PaymentOutcome> $authorizeOutcomes
+             */
+            public function __construct(
+                private array $authorizeOutcomes,
+                private readonly ?PaymentOutcome $captureOutcome,
+            ) {
+            }
+
+            public function authorize(Order $order, array $paymentData): PaymentOutcome
+            {
+                $outcome = $this->authorizeOutcomes[$this->authorizeCount] ?? $this->authorizeOutcomes[array_key_last($this->authorizeOutcomes)];
+                ++$this->authorizeCount;
+
+                return $outcome;
+            }
+
+            public function capture(Order $order, array $paymentData): PaymentOutcome
+            {
+                ++$this->captureCount;
+
+                return $this->captureOutcome ?? PaymentOutcome::completed('cap_'.$this->captureCount);
+            }
+
+            public function supports(Order $order): bool
+            {
+                return true;
+            }
+        };
+    }
+
+    private function guestAddress(): AgentCheckoutAddress
+    {
+        return new AgentCheckoutAddress(
+            name01: '山田',
+            name02: '太郎',
+            kana01: 'ヤマダ',
+            kana02: 'タロウ',
+            postalCode: '5300001',
+            prefId: 27,
+            addr01: '大阪市北区',
+            addr02: '梅田1-1-1',
+            email: 'agent-completion@example.com',
+            phoneNumber: '0612345678',
+        );
+    }
+
+    private function createPurchasableProductClass(string $stock = '100'): ProductClass
+    {
+        $Product = $this->createProduct('エージェント complete テスト商品', 1);
+        /** @var ProductClass $ProductClass */
+        $ProductClass = $Product->getProductClasses()[0];
+        $ProductClass->setStock($stock);
+        $ProductClass->setStockUnlimited(false);
+        // createProduct は ProductStock を faker の乱数で生成するため、引当検証を決定的にするよう
+        // ProductClass.stock と ProductStock.stock の双方を明示的に揃える (引当は ProductStock を減らす)。
+        $ProductClass->getProductStock()->setStock($stock);
+        $this->entityManager->flush();
+
+        return $ProductClass;
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Conformance/AgentCheckoutCoreConformanceTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Conformance/AgentCheckoutCoreConformanceTest.php
new file mode 100644
index 00000000000..fa37df11da8
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Conformance/AgentCheckoutCoreConformanceTest.php
@@ -0,0 +1,133 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Conformance;
+
+use Eccube\Entity\Master\AgentProtocol;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Entity\Order;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessageLevel;
+use Eccube\Service\AgentCommerce\Payment\PaymentOutcomeStatus;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 0 (conformance) tests for the CheckoutSession 中核 (#6777 Phase 1b).
+ *
+ * ACP/UCP 横断の規範要件のうち、共通基盤の CheckoutSession 中核が担保するものを 1:1 でトレースする。
+ * 中核で実装できない要件 (controller での HTTP 変換等) は markTestIncomplete で残す。
+ *
+ * @see https://github.com/agentic-commerce-protocol/agentic-commerce-protocol/tree/main/spec/2026-04-17
+ * @see https://github.com/Universal-Commerce-Protocol/ucp
+ */
+final class AgentCheckoutCoreConformanceTest extends TestCase
+{
+    /**
+     * CheckoutSession.status は ACP/UCP 横断の正規化ステータスマスタであり、`canceled` を含む.
+     *
+     * (incomplete=1 / ready=2 / completed=3 / canceled=4 / expired=5 /
+     *  requires_action=6 / in_progress=7)
+     * 正準名 (`canceled` 等) は import_csv で seed され、DB 上の値は Layer 2 で検証する。
+     */
+    public function testNormalizedStatusIncludesCanceled(): void
+    {
+        $ids = [
+            CheckoutSessionStatus::INCOMPLETE,
+            CheckoutSessionStatus::READY,
+            CheckoutSessionStatus::COMPLETED,
+            CheckoutSessionStatus::CANCELED,
+            CheckoutSessionStatus::EXPIRED,
+            CheckoutSessionStatus::REQUIRES_ACTION,
+            CheckoutSessionStatus::IN_PROGRESS,
+        ];
+
+        $this->assertContains(CheckoutSessionStatus::CANCELED, $ids, 'MUST: 正規化ステータスマスタは canceled を含む');
+        $this->assertSame([1, 2, 3, 4, 5, 6, 7], $ids, '正規化ステータスマスタの定数が 7 段そろう');
+    }
+
+    /**
+     * 追加認証 (3DS) / escalation はエラーでなく complete が返す中間状態であり、正規化ステータスとして表現する.
+     *
+     * UCP `requires_escalation` / ACP `authentication_required` → `requires_action`、
+     * `complete_in_progress` → `in_progress` に正規化する (#6777)。これらは在庫を引当のまま保持し
+     * 再開 complete を待つ非終端ステータスである。
+     */
+    public function testNormalizedStatusIncludesIntermediateActionStates(): void
+    {
+        $this->assertSame(6, CheckoutSessionStatus::REQUIRES_ACTION, 'MUST: 追加認証/escalation 待ちの正規化ステータス requires_action を持つ');
+        $this->assertSame(7, CheckoutSessionStatus::IN_PROGRESS, 'MUST: 非同期決済確定待ちの正規化ステータス in_progress を持つ');
+    }
+
+    /**
+     * 決済ハンドラの結果型は「中断→再開」状態機械を表現する 4 値を持つ.
+     *
+     * COMPLETED / REQUIRES_ACTION (3DS/escalation) / PENDING (非同期) / FAILED。
+     * 追加認証はエラー (FAILED) ではなく REQUIRES_ACTION で表現される点が要。
+     */
+    public function testPaymentOutcomeCoversStateMachineSignals(): void
+    {
+        $values = array_map(static fn (PaymentOutcomeStatus $s): string => $s->value, PaymentOutcomeStatus::cases());
+
+        $this->assertEqualsCanonicalizing(
+            ['completed', 'requires_action', 'pending', 'failed'],
+            $values,
+            'MUST: 決済結果型は completed/requires_action/pending/failed の 4 状態を表現できる',
+        );
+    }
+
+    /**
+     * ビジネス系の結果 (HTTP 200 + messages[]) は error/warning/info の 3 段で表現する.
+     *
+     * @see ACP MessageError / MessageWarning / MessageInfo
+     */
+    public function testBusinessMessageLevelsCoverErrorWarningInfo(): void
+    {
+        $levels = array_map(static fn (AgentCheckoutMessageLevel $l): string => $l->value, AgentCheckoutMessageLevel::cases());
+
+        $this->assertEqualsCanonicalizing(['error', 'warning', 'info'], $levels, 'MUST: ビジネス系メッセージは error/warning/info の 3 段を持つ');
+    }
+
+    /**
+     * エージェント経由の注文は Order に protocol/agent 識別子を保持でき、通常購入では NULL である.
+     */
+    public function testOrderCarriesAgentAttributionAndDefaultsNull(): void
+    {
+        $normal = new Order();
+        $this->assertNotInstanceOf(AgentProtocol::class, $normal->getAgentProtocol(), 'MUST: 通常購入の Order は agent_protocol が NULL');
+        $this->assertNull($normal->getAgentId(), 'MUST: 通常購入の Order は agent_id が NULL');
+
+        $protocol = new AgentProtocol();
+        $agentOrder = new Order();
+        $agentOrder->setAgentProtocol($protocol)->setAgentId('agent-1');
+        $this->assertSame($protocol, $agentOrder->getAgentProtocol(), 'エージェント注文は protocol マスタを保持できる');
+    }
+
+    /**
+     * プロトコル系 (HTTP 4xx/5xx) とビジネス系 (HTTP 200 + messages[]) の 2 系統への
+     * 実際の HTTP 変換は checkout controller (#6776/#6574) の責務であり中核の対象外.
+     */
+    public function testTwoTierHttpMappingIsDeferredToControllerLayer(): void
+    {
+        self::markTestIncomplete('HTTP ステータスと messages[] への 2 系統変換は ACP/UCP checkout controller (#6776/#6574) で検証する。');
+    }
+
+    /**
+     * リプレイ (Idempotency-Key) で副作用を再実行しない不変条件は、controller/middleware の
+     * 冪等性処理に依存するため中核では未実装.
+     */
+    public function testIdempotentReplayIsDeferredToControllerLayer(): void
+    {
+        self::markTestIncomplete('Idempotency-Key によるリプレイ抑止は checkout controller (#6776/#6574) で検証する。');
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Conformance/AgentCommerceBaseConformanceTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Conformance/AgentCommerceBaseConformanceTest.php
new file mode 100644
index 00000000000..e3fe24f461f
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Conformance/AgentCommerceBaseConformanceTest.php
@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Conformance;
+
+use Eccube\Service\AgentCommerce\MinorUnitConverter;
+use Eccube\Service\AgentCommerce\Security\KeyStoreInterface;
+use Eccube\Service\AgentCommerce\Security\UcpMessageSigner;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 0 (conformance) tests for the agent-commerce common base.
+ *
+ * These assert a handful of cross-protocol MUST requirements shared by ACP and
+ * UCP. Requirements not yet implementable in the base are marked incomplete.
+ *
+ * @see https://github.com/agentic-commerce-protocol/agentic-commerce-protocol/tree/main/spec/2026-04-17
+ * @see https://github.com/Universal-Commerce-Protocol/ucp
+ */
+final class AgentCommerceBaseConformanceTest extends TestCase
+{
+    /**
+     * MUST: monetary amounts are represented as integer minor units (smallest
+     * currency unit), not floats. Verified through MinorUnitConverter for a
+     * zero-decimal and a two-decimal currency.
+     *
+     * @see ACP spec/2026-04-17 — amounts are integers in the currency's minor unit
+     */
+    public function testMonetaryAmountsAreIntegerMinorUnits(): void
+    {
+        $converter = new MinorUnitConverter();
+
+        $jpy = $converter->toMinorUnits('1000', 'JPY');
+        $this->assertIsInt($jpy, 'MUST: monetary amounts are integer minor units (JPY, zero-decimal)');
+        $this->assertSame(1000, $jpy, 'MUST: a JPY amount of 1000 is 1000 minor units');
+
+        $usd = $converter->toMinorUnits('10.99', 'USD');
+        $this->assertIsInt($usd, 'MUST: monetary amounts are integer minor units (USD, two-decimal)');
+        $this->assertSame(1099, $usd, 'MUST: a USD amount of 10.99 is 1099 minor units (cents)');
+    }
+
+    /**
+     * MUST: published signing keys advertise public key material only. The
+     * private key parameter "d" MUST NOT appear in any discovery JWK.
+     *
+     * @see UCP /.well-known/ucp signing_keys[] — EC public-key JWKs only
+     */
+    public function testPublishedSigningKeysContainPublicMaterialOnly(): void
+    {
+        $store = new class implements KeyStoreInterface {
+            /** @var array<string, string> */
+            private array $store = [];
+
+            public function read(string $purpose): ?string
+            {
+                return $this->store[$purpose] ?? null;
+            }
+
+            public function write(string $purpose, string $pem): void
+            {
+                $this->store[$purpose] = $pem;
+            }
+        };
+
+        $signer = new UcpMessageSigner($store, 'ucp_signing');
+        $jwks = $signer->getPublicJwks();
+
+        $this->assertNotEmpty($jwks, 'MUST: at least one signing key is advertised for discovery');
+        foreach ($jwks as $jwk) {
+            $this->assertSame('EC', $jwk['kty'] ?? null, 'MUST: UCP signing keys are EC keys');
+            $this->assertArrayNotHasKey('d', $jwk, 'MUST NOT: discovery JWKs must not contain the private parameter d');
+        }
+    }
+
+    /**
+     * Cross-protocol two-tier error model (protocol errors as HTTP 4xx/5xx vs
+     * business errors as HTTP 200 + messages[]) is enforced at the controller
+     * layer, which is out of scope for the common base.
+     */
+    public function testTwoTierErrorModelIsDeferredToControllerLayer(): void
+    {
+        self::markTestIncomplete('Two-tier error model (HTTP errors vs messages[]) is verified in the ACP/UCP checkout controller tracks, not in the common base.');
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Conformance/UcpCheckoutConformanceTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Conformance/UcpCheckoutConformanceTest.php
new file mode 100644
index 00000000000..0323738bd27
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Conformance/UcpCheckoutConformanceTest.php
@@ -0,0 +1,143 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Conformance;
+
+use Eccube\Entity\AgentCheckoutIdempotency;
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Repository\AgentCheckoutIdempotencyRepository;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessage;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessageLevel;
+use Eccube\Service\AgentCommerce\Exception\IdempotencyConflictException;
+use Eccube\Service\AgentCommerce\Idempotency\AgentCheckoutIdempotencyStore;
+use Eccube\Service\AgentCommerce\Ucp\UcpMessageMapper;
+use Eccube\Service\AgentCommerce\Ucp\UcpStatusMapper;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 0: UCP Checkout 仕様適合性 (規範要件 1:1 トレース).
+ *
+ * UCP 一次仕様 (v2026-04-08) の MUST / MUST NOT を 1 テスト = 1 要件で追跡する。
+ * 各 assertion の第3引数に規範要件文、docblock に出典 URL を行アンカー付きで記す。
+ * HTTP レベルの規範 (エンドポイント挙動) は {@link \Eccube\Tests\Web\AgentCommerce\UcpCheckoutControllerTest}
+ * が補完する。未実装の要件は markTestIncomplete で残す (実装が進むと green へ遷移)。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP (pin: v2026-04-08)
+ */
+final class UcpCheckoutConformanceTest extends EccubeTestCase
+{
+    private function idempotencyStore(): AgentCheckoutIdempotencyStore
+    {
+        /** @var AgentCheckoutIdempotencyRepository $repository */
+        $repository = $this->entityManager->getRepository(AgentCheckoutIdempotency::class);
+
+        return new AgentCheckoutIdempotencyStore($this->entityManager, $repository);
+    }
+
+    /**
+     * status は incomplete/requires_escalation/ready_for_complete/complete_in_progress/completed/canceled。
+     * EC-CUBE の正規化 ready は UCP の ready_for_complete として広告されなければならない。
+     *
+     * @see https://github.com/Universal-Commerce-Protocol/ucp/blob/main/source/schemas/shopping/checkout.json#L65 (status enum)
+     */
+    public function testReadyIsAdvertisedAsReadyForComplete(): void
+    {
+        $status = new CheckoutSessionStatus();
+        $status->setId(CheckoutSessionStatus::READY);
+
+        $this->assertSame('ready_for_complete', (new UcpStatusMapper())->toUcpStatus($status), 'MUST: a session whose required info is present is advertised as "ready_for_complete".');
+    }
+
+    /**
+     * ビジネスロジックエラーは HTTP 200 + messages[] で表現し、error は severity を持つ
+     * (recoverable / requires_buyer_input / requires_buyer_review / unrecoverable)。
+     *
+     * @see https://github.com/Universal-Commerce-Protocol/ucp/blob/main/source/schemas/common/types/message_error.json#L38 (severity enum)
+     */
+    public function testBusinessErrorsCarrySeverity(): void
+    {
+        $messages = (new UcpMessageMapper())->toUcpMessages([
+            new AgentCheckoutMessage(AgentCheckoutMessageLevel::ERROR, '在庫が不足しています'),
+        ]);
+
+        $this->assertSame('error', $messages[0]['type'], 'MUST: business outcomes are conveyed via messages[] with a type.');
+        $this->assertContains($messages[0]['severity'], ['recoverable', 'requires_buyer_input', 'requires_buyer_review', 'unrecoverable'], 'MUST: an error message carries a severity from the defined enum.');
+    }
+
+    /**
+     * 同一 Idempotency-Key が異なるパラメータで再利用された場合は 409 Conflict 相当で拒否しなければならない。
+     *
+     * @see https://github.com/Universal-Commerce-Protocol/ucp/blob/main/docs/specification/checkout-rest.md (Idempotency-Key reuse -> 409)
+     */
+    public function testIdempotencyKeyReuseWithDifferentParamsIsRejected(): void
+    {
+        $store = $this->idempotencyStore();
+        $store->execute('k', 'hash-A', static fn (): array => ['status' => 201, 'body' => []]);
+
+        $this->expectException(IdempotencyConflictException::class);
+        $store->execute('k', 'hash-B', static fn (): array => ['status' => 201, 'body' => []]);
+    }
+
+    /**
+     * 同一 Idempotency-Key の再送はサーバ側の副作用を再実行してはならない (リプレイ)。
+     *
+     * @see https://github.com/Universal-Commerce-Protocol/ucp/blob/main/docs/specification/checkout-rest.md (Idempotency-Key replay)
+     */
+    public function testIdempotentReplayDoesNotReexecuteSideEffects(): void
+    {
+        $store = $this->idempotencyStore();
+        $calls = 0;
+        $compute = function () use (&$calls): array {
+            ++$calls;
+
+            return ['status' => 201, 'body' => ['id' => 'cs']];
+        };
+
+        $store->execute('k', 'h', $compute);
+        $store->execute('k', 'h', $compute);
+
+        $this->assertSame(1, $calls, 'MUST NOT: a duplicate Idempotency-Key re-executes side effects.');
+    }
+
+    /**
+     * status が requires_escalation のとき continue_url は絶対 HTTPS URL でなければならない。
+     *
+     * @see https://github.com/Universal-Commerce-Protocol/ucp/blob/main/docs/specification/checkout.md (continue_url MUST be absolute HTTPS when requires_escalation)
+     */
+    public function testContinueUrlMustBeAbsoluteHttpsOnEscalation(): void
+    {
+        $this->markTestIncomplete('requires_escalation の永続化と continue_url 生成は MVP では未実装 (escalation は recoverable で代替)。');
+    }
+
+    /**
+     * complete (completed) 後、事業者は注文確認メールを送信しなければならない。
+     *
+     * @see https://github.com/Universal-Commerce-Protocol/ucp/blob/main/docs/specification/checkout.md (confirmation email after completion)
+     */
+    public function testCompleteSendsConfirmationEmail(): void
+    {
+        $this->markTestIncomplete('確認メール送信は shopping flow / MailService 連携で別途検証する (本 Layer では未トレース)。');
+    }
+
+    /**
+     * 全エンドポイントは HTTPS (TLS 1.3+) で提供されなければならない。
+     *
+     * @see https://github.com/Universal-Commerce-Protocol/ucp/blob/main/docs/specification/checkout-rest.md (all endpoints over TLS 1.3+)
+     */
+    public function testAllEndpointsRequireHttps(): void
+    {
+        $this->markTestIncomplete('HTTPS 強制はトランスポート層 (デプロイ構成) の責務であり、アプリ層ではトレースしない。');
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Fulfillment/StandardFulfillmentOptionMapperTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Fulfillment/StandardFulfillmentOptionMapperTest.php
new file mode 100644
index 00000000000..e58e0fd88dd
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Fulfillment/StandardFulfillmentOptionMapperTest.php
@@ -0,0 +1,145 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Fulfillment;
+
+use Eccube\Entity\DeliveryDuration;
+use Eccube\Entity\Master\Pref;
+use Eccube\Entity\Payment;
+use Eccube\Entity\ProductClass;
+use Eccube\Repository\Master\PrefRepository;
+use Eccube\Repository\PaymentRepository;
+use Eccube\Service\AgentCommerce\Fulfillment\StandardFulfillmentOptionMapper;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 3 tests for StandardFulfillmentOptionMapper.
+ *
+ * fixtures の Delivery/DeliveryFee/Payment/PaymentOption を用いて、配送先 Pref に対する
+ * 送料・代引手数料 (PaymentOption -> Payment::getCharge())・配送日数 (DeliveryDuration の
+ * 明細横断 max) が正しく解決されることを検証する。金額は minor unit (JPY=0桁) で確認する。
+ */
+final class StandardFulfillmentOptionMapperTest extends EccubeTestCase
+{
+    private ?StandardFulfillmentOptionMapper $mapper = null;
+
+    private ?PrefRepository $prefRepository = null;
+
+    private ?PaymentRepository $paymentRepository = null;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->mapper = self::getContainer()->get(StandardFulfillmentOptionMapper::class);
+        $this->prefRepository = self::getContainer()->get(PrefRepository::class);
+        $this->paymentRepository = self::getContainer()->get(PaymentRepository::class);
+    }
+
+    private function pref(int $id): Pref
+    {
+        /** @var Pref $pref */
+        $pref = $this->prefRepository->find($id);
+
+        return $pref;
+    }
+
+    private function firstProductClass(string $name): ProductClass
+    {
+        $Product = $this->createProduct($name, 1);
+
+        /** @var ProductClass $ProductClass */
+        $ProductClass = $Product->getProductClasses()[0];
+
+        return $ProductClass;
+    }
+
+    public function testReturnsOptionsWithShippingFeeAndPaymentOptions(): void
+    {
+        $ProductClass = $this->firstProductClass('配送テスト商品');
+
+        $options = $this->mapper->mapForDestination([$ProductClass], $this->pref(27), 'JPY');
+
+        $this->assertNotEmpty($options, '利用可能な配送方法が 1 件以上返る');
+        $option = $options[0];
+        $this->assertGreaterThan(0, $option->deliveryId, 'deliveryId が解決される');
+        $this->assertNotSame('', $option->name, '配送方法名が解決される');
+        $this->assertGreaterThanOrEqual(0, $option->shippingFeeMinor, '送料が minor unit (整数) で解決される');
+        $this->assertSame('JPY', $option->currencyCode);
+        $this->assertIsArray($option->paymentOptions, '支払方法の選択肢が配列で返る');
+    }
+
+    public function testCodChargeResolvedViaPaymentOption(): void
+    {
+        // 代金引換 (id=4) に手数料を設定し、PaymentOption 経由で minor unit に解決されることを確認。
+        /** @var Payment $cod */
+        $cod = $this->paymentRepository->find(4);
+        $cod->setCharge('330');
+        $this->entityManager->flush();
+
+        $ProductClass = $this->firstProductClass('代引テスト商品');
+        $options = $this->mapper->mapForDestination([$ProductClass], $this->pref(13), 'JPY');
+
+        $codChargeMinor = null;
+        foreach ($options as $option) {
+            foreach ($option->paymentOptions as $paymentOption) {
+                if ($paymentOption->paymentId === 4) {
+                    $codChargeMinor = $paymentOption->chargeMinor;
+                    break 2;
+                }
+            }
+        }
+
+        $this->assertNotNull($codChargeMinor, '代金引換が支払選択肢に含まれる');
+        $this->assertSame(330, $codChargeMinor, '代引手数料が Payment::getCharge() から minor unit (JPY=330) で解決される');
+    }
+
+    public function testDeliveryDaysIsMaxAcrossItems(): void
+    {
+        $pc2days = $this->firstProductClass('配送2日商品');
+        $pc2days->setDeliveryDuration($this->createDuration('お届け2日', 2));
+        $pc5days = $this->firstProductClass('配送5日商品');
+        $pc5days->setDeliveryDuration($this->createDuration('お届け5日', 5));
+        $this->entityManager->flush();
+
+        $options = $this->mapper->mapForDestination([$pc2days, $pc5days], $this->pref(27), 'JPY');
+
+        $this->assertNotEmpty($options);
+        $this->assertSame(5, $options[0]->estimatedDeliveryDays, '配送日数は明細横断の最大値 (2 と 5 -> 5)');
+    }
+
+    public function testBackorderItemYieldsNullDeliveryDays(): void
+    {
+        $pcNormal = $this->firstProductClass('通常配送商品');
+        $pcNormal->setDeliveryDuration($this->createDuration('お届け3日', 3));
+        $pcBackorder = $this->firstProductClass('お取り寄せ商品');
+        $pcBackorder->setDeliveryDuration($this->createDuration('お取り寄せ', -1));
+        $this->entityManager->flush();
+
+        $options = $this->mapper->mapForDestination([$pcNormal, $pcBackorder], $this->pref(27), 'JPY');
+
+        $this->assertNotEmpty($options);
+        $this->assertNull($options[0]->estimatedDeliveryDays, 'お取り寄せ (duration<0) が含まれると配送日数は未確定 (null)');
+    }
+
+    private function createDuration(string $name, int $duration): DeliveryDuration
+    {
+        $DeliveryDuration = new DeliveryDuration();
+        $DeliveryDuration->setName($name)->setDuration($duration)->setSortNo($duration + 100);
+        $this->entityManager->persist($DeliveryDuration);
+        $this->entityManager->flush();
+
+        return $DeliveryDuration;
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Idempotency/AgentCheckoutIdempotencyStoreTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Idempotency/AgentCheckoutIdempotencyStoreTest.php
new file mode 100644
index 00000000000..e38effb9543
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Idempotency/AgentCheckoutIdempotencyStoreTest.php
@@ -0,0 +1,153 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Idempotency;
+
+use Eccube\Entity\AgentCheckoutIdempotency;
+use Eccube\Repository\AgentCheckoutIdempotencyRepository;
+use Eccube\Service\AgentCommerce\Exception\IdempotencyConflictException;
+use Eccube\Service\AgentCommerce\Idempotency\AgentCheckoutIdempotencyStore;
+use Eccube\Tests\EccubeTestCase;
+
+/**
+ * Layer 1/2 (Idempotency) tests for AgentCheckoutIdempotencyStore (DB 一意制約ベース).
+ *
+ * - 同一キーの再送は副作用を再実行せず保存済みレスポンスをリプレイする (MUST NOT re-execute)。
+ * - 同一キーが異なるリクエスト内容で再利用された場合は 409 相当の例外。
+ * - 主体 (subject) で名前空間化し、別エージェントの越境リプレイを防ぐ。
+ * - DB の一意制約により、ノードローカルな分散ロックや共有キャッシュ無しで二重実行を防ぐ。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP checkout-rest.md (Idempotency-Key)
+ */
+final class AgentCheckoutIdempotencyStoreTest extends EccubeTestCase
+{
+    private ?AgentCheckoutIdempotencyStore $store = null;
+
+    private ?AgentCheckoutIdempotencyRepository $repository = null;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        /** @var AgentCheckoutIdempotencyRepository $repository */
+        $repository = $this->entityManager->getRepository(AgentCheckoutIdempotency::class);
+        $this->repository = $repository;
+        $this->store = new AgentCheckoutIdempotencyStore($this->entityManager, $this->repository);
+    }
+
+    /**
+     * @return callable(): array{status: int, body: array<string, mixed>}
+     */
+    private function countingCompute(int &$calls, int $status = 201): callable
+    {
+        return function () use (&$calls, $status): array {
+            ++$calls;
+
+            return ['status' => $status, 'body' => ['order' => 'ord-'.$calls]];
+        };
+    }
+
+    public function testReplaysSameKeyWithoutReexecutingSideEffects(): void
+    {
+        $key = 'idem-'.bin2hex(random_bytes(6));
+        $hash = $this->store->hashRequest(['a' => 1]);
+        $calls = 0;
+        $compute = $this->countingCompute($calls);
+
+        $first = $this->store->execute($key, $hash, $compute);
+        $second = $this->store->execute($key, $hash, $compute);
+
+        $this->assertSame(1, $calls, 'MUST NOT re-execute side effects on replay');
+        $this->assertFalse($first['replayed']);
+        $this->assertTrue($second['replayed'], '2 回目はリプレイ');
+        $this->assertSame($first['body'], $second['body'], '同一レスポンスを返す');
+        $this->assertSame(201, $second['status']);
+    }
+
+    public function testConflictOnSameKeyDifferentRequest(): void
+    {
+        $key = 'idem-'.bin2hex(random_bytes(6));
+        $calls = 0;
+        $this->store->execute($key, $this->store->hashRequest(['a' => 1]), $this->countingCompute($calls));
+
+        $this->expectException(IdempotencyConflictException::class);
+        $this->store->execute($key, $this->store->hashRequest(['a' => 2]), $this->countingCompute($calls));
+    }
+
+    public function testNullKeyExecutesEveryTime(): void
+    {
+        $calls = 0;
+        $compute = $this->countingCompute($calls);
+        $this->store->execute(null, 'h', $compute);
+        $this->store->execute(null, 'h', $compute);
+        $this->assertSame(2, $calls, 'キー無しは冪等化せず都度実行する');
+    }
+
+    public function testDifferentSubjectsDoNotCollide(): void
+    {
+        $key = 'idem-'.bin2hex(random_bytes(6));
+        $hash = $this->store->hashRequest(['a' => 1]);
+        $calls = 0;
+        $compute = $this->countingCompute($calls);
+
+        // 同一キーでも主体 (subject) が異なれば別記録として両方実行される (越境リプレイ防止)。
+        $a = $this->store->execute($key, $hash, $compute, 'https://agent-a.example/.well-known/ucp');
+        $b = $this->store->execute($key, $hash, $compute, 'https://agent-b.example/.well-known/ucp');
+
+        $this->assertSame(2, $calls, '別主体は衝突せず各々実行される');
+        $this->assertFalse($a['replayed']);
+        $this->assertFalse($b['replayed']);
+    }
+
+    public function testComputeFailureRemovesReservationForRetry(): void
+    {
+        $key = 'idem-'.bin2hex(random_bytes(6));
+        $hash = $this->store->hashRequest(['a' => 1]);
+
+        try {
+            $this->store->execute($key, $hash, function (): array {
+                throw new \RuntimeException('payment failed');
+            });
+            self::fail('compute の例外は伝播する');
+        } catch (\RuntimeException $e) {
+            $this->assertSame('payment failed', $e->getMessage());
+        }
+
+        // 予約行が削除され、再試行可能な状態に戻っていること。
+        $this->assertNotInstanceOf(AgentCheckoutIdempotency::class, $this->repository->findOneByKeyAndSubject($key, ''), 'compute 失敗時は予約が消えて再試行できる');
+    }
+
+    public function testInProgressReservationReturnsConflict(): void
+    {
+        $key = 'idem-'.bin2hex(random_bytes(6));
+        $hash = $this->store->hashRequest(['a' => 1]);
+
+        // レスポンス未確定 (処理中) の予約を先に作る。
+        $reservation = (new AgentCheckoutIdempotency())
+            ->setIdempotencyKey($key)
+            ->setSubject('')
+            ->setRequestHash($hash);
+        $this->entityManager->persist($reservation);
+        $this->entityManager->flush();
+
+        // 同一キーの並行リクエストは「処理中」競合として弾かれる (副作用は実行しない)。
+        $calls = 0;
+        $this->expectException(IdempotencyConflictException::class);
+        try {
+            $this->store->execute($key, $hash, $this->countingCompute($calls));
+        } finally {
+            $this->assertSame(0, $calls, '処理中の並行リクエストは compute を実行しない');
+        }
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/MinorUnitConverterTest.php b/tests/Eccube/Tests/Service/AgentCommerce/MinorUnitConverterTest.php
new file mode 100644
index 00000000000..ddbd7e69c7b
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/MinorUnitConverterTest.php
@@ -0,0 +1,132 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce;
+
+use Eccube\Service\AgentCommerce\MinorUnitConverter;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 1 (pure logic) tests for MinorUnitConverter.
+ *
+ * Verifies minor-unit conversion across zero-decimal (JPY), two-decimal (USD)
+ * and three-decimal (BHD) currencies, including negative amounts (UCP discounts),
+ * round-half-up boundaries, and toMinorUnits<->toAmountString round trips.
+ */
+final class MinorUnitConverterTest extends TestCase
+{
+    private MinorUnitConverter $converter;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->converter = new MinorUnitConverter();
+    }
+
+    public function testToMinorUnitsZeroDecimalJpy(): void
+    {
+        $this->assertSame(1000, $this->converter->toMinorUnits('1000', 'JPY'), 'JPY has 0 fraction digits so the minor unit equals the major amount');
+        $this->assertSame(1000, $this->converter->toMinorUnits('1000.00', 'JPY'), 'JPY trailing zeros must not introduce extra minor units');
+    }
+
+    public function testToMinorUnitsTwoDecimalUsd(): void
+    {
+        $this->assertSame(1000, $this->converter->toMinorUnits('10.00', 'USD'), 'USD 10.00 dollars equals 1000 cents');
+        $this->assertSame(1099, $this->converter->toMinorUnits('10.99', 'USD'), 'USD 10.99 dollars equals 1099 cents');
+        $this->assertSame(5, $this->converter->toMinorUnits('0.05', 'USD'), 'USD 0.05 dollars equals 5 cents');
+    }
+
+    public function testToMinorUnitsThreeDecimalBhd(): void
+    {
+        $this->assertSame(1500, $this->converter->toMinorUnits('1.500', 'BHD'), 'BHD has 3 fraction digits so 1.5 dinar equals 1500 fils');
+        $this->assertSame(1234, $this->converter->toMinorUnits('1.234', 'BHD'), 'BHD 1.234 dinar equals 1234 fils');
+    }
+
+    public function testToMinorUnitsNegativeAmount(): void
+    {
+        $this->assertSame(-500, $this->converter->toMinorUnits('-5.00', 'USD'), 'Negative amounts (UCP discounts) must convert to negative minor units');
+        $this->assertSame(-1000, $this->converter->toMinorUnits('-1000', 'JPY'), 'Negative zero-decimal amount must remain negative');
+    }
+
+    public function testToMinorUnitsRoundHalfUp(): void
+    {
+        $this->assertSame(1010, $this->converter->toMinorUnits('10.095', 'USD'), 'Round-half-up: 10.095 USD rounds up to 1010 cents');
+        $this->assertSame(1009, $this->converter->toMinorUnits('10.094', 'USD'), 'Round down: 10.094 USD rounds to 1009 cents');
+        $this->assertSame(-1010, $this->converter->toMinorUnits('-10.095', 'USD'), 'Round-half-up on negative magnitude: -10.095 USD rounds to -1010 cents');
+    }
+
+    #[DataProvider(methodName: 'malformedAmountProvider')]
+    public function testToMinorUnitsMalformedReturnsZero(string $amount): void
+    {
+        // 仕様: 空や不正な表記は 0。BCMath に渡す前に弾き ValueError を起こさないこと。
+        $this->assertSame(0, $this->converter->toMinorUnits($amount, 'USD'), sprintf('Malformed amount "%s" must convert to 0 without throwing', $amount));
+    }
+
+    public static function malformedAmountProvider(): \Iterator
+    {
+        yield 'empty' => [''];
+        yield 'dot only' => ['.'];
+        yield 'sign only' => ['-'];
+        yield 'alpha' => ['abc'];
+        yield 'thousands separator' => ['1,000'];
+        yield 'double dot' => ['1..2'];
+        yield 'trailing garbage' => ['12.34x'];
+        yield 'whitespace inside' => ['1 000'];
+        yield 'exponential notation' => ['1e3'];
+        yield 'exponential with decimal' => ['1.5e3'];
+        yield 'hex' => ['0x1A'];
+    }
+
+    public function testToAmountStringZeroDecimalJpy(): void
+    {
+        $this->assertSame('1000', $this->converter->toAmountString(1000, 'JPY'), 'JPY minor units map back to the same integer string with no decimal point');
+    }
+
+    public function testToAmountStringTwoDecimalUsd(): void
+    {
+        $this->assertSame('10.00', $this->converter->toAmountString(1000, 'USD'), 'USD 1000 cents map back to 10.00 dollars with 2 decimals');
+        $this->assertSame('10.99', $this->converter->toAmountString(1099, 'USD'), 'USD 1099 cents map back to 10.99 dollars');
+        $this->assertSame('0.05', $this->converter->toAmountString(5, 'USD'), 'USD 5 cents map back to 0.05 dollars');
+    }
+
+    public function testToAmountStringThreeDecimalBhd(): void
+    {
+        $this->assertSame('1.500', $this->converter->toAmountString(1500, 'BHD'), 'BHD 1500 fils map back to 1.500 dinar with 3 decimals');
+    }
+
+    public function testToAmountStringNegative(): void
+    {
+        $this->assertSame('-5.00', $this->converter->toAmountString(-500, 'USD'), 'Negative minor units must map back to a negative decimal string');
+    }
+
+    #[DataProvider(methodName: 'roundTripProvider')]
+    public function testRoundTrip(string $amount, string $currency): void
+    {
+        $minor = $this->converter->toMinorUnits($amount, $currency);
+        $back = $this->converter->toAmountString($minor, $currency);
+        $reMinor = $this->converter->toMinorUnits($back, $currency);
+        $this->assertSame($minor, $reMinor, 'toAmountString output must convert back to the identical minor-unit integer');
+    }
+
+    public static function roundTripProvider(): \Iterator
+    {
+        yield 'JPY positive' => ['1000', 'JPY'];
+        yield 'JPY negative' => ['-2500', 'JPY'];
+        yield 'USD positive' => ['10.99', 'USD'];
+        yield 'USD negative' => ['-3.50', 'USD'];
+        yield 'BHD positive' => ['1.234', 'BHD'];
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerRegistryTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerRegistryTest.php
new file mode 100644
index 00000000000..8a738a5e5b1
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Payment/AgentCheckoutPaymentHandlerRegistryTest.php
@@ -0,0 +1,136 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Payment;
+
+use Eccube\Entity\Order;
+use Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerInterface;
+use Eccube\Service\AgentCommerce\Payment\AgentCheckoutPaymentHandlerRegistry;
+use Eccube\Service\AgentCommerce\Payment\PaymentOutcome;
+use Eccube\Service\AgentCommerce\Payment\UcpPaymentHandlerInterface;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 1 (純ロジック) tests for AgentCheckoutPaymentHandlerRegistry.
+ *
+ * タグ付きハンドラ群から handler_id / supports による解決を検証する。
+ * 具象ハンドラは決済プラグインが寄与するため、テストでは in-memory スタブを用いる。
+ */
+final class AgentCheckoutPaymentHandlerRegistryTest extends TestCase
+{
+    public function testResolvesUcpHandlerByHandlerId(): void
+    {
+        $card = new InMemoryUcpPaymentHandler('dev.ucp.payment.card');
+        $bank = new InMemoryUcpPaymentHandler('dev.ucp.payment.bank');
+        $registry = new AgentCheckoutPaymentHandlerRegistry([$card, $bank]);
+
+        $this->assertSame($card, $registry->resolveUcpByHandlerId('dev.ucp.payment.card'));
+        $this->assertSame($bank, $registry->resolveUcpByHandlerId('dev.ucp.payment.bank'));
+        $this->assertNotInstanceOf(UcpPaymentHandlerInterface::class, $registry->resolveUcpByHandlerId('dev.ucp.payment.unknown'));
+    }
+
+    public function testUcpHandlersFiltersOnlyUcp(): void
+    {
+        $ucp = new InMemoryUcpPaymentHandler('dev.ucp.payment.card');
+        // 非 UCP ハンドラを混在させ、ucpHandlers() が UCP のみを返す (フィルタの本質) ことを保証する。
+        $nonUcp = new InMemoryNonUcpPaymentHandler();
+        $registry = new AgentCheckoutPaymentHandlerRegistry([$nonUcp, $ucp]);
+
+        $this->assertSame([$ucp], $registry->ucpHandlers());
+    }
+
+    public function testResolveUcpByHandlerIdThrowsOnDuplicate(): void
+    {
+        $a = new InMemoryUcpPaymentHandler('dev.ucp.payment.card');
+        $b = new InMemoryUcpPaymentHandler('dev.ucp.payment.card');
+        $registry = new AgentCheckoutPaymentHandlerRegistry([$a, $b]);
+
+        $this->expectException(\RuntimeException::class);
+        $registry->resolveUcpByHandlerId('dev.ucp.payment.card');
+    }
+
+    public function testResolveForOrderUsesSupports(): void
+    {
+        $supporting = new InMemoryUcpPaymentHandler('dev.ucp.payment.card', supports: true);
+        $registry = new AgentCheckoutPaymentHandlerRegistry([$supporting]);
+
+        $this->assertSame($supporting, $registry->resolveForOrder(new Order()));
+    }
+
+    public function testResolveForOrderReturnsNullWhenNoneSupport(): void
+    {
+        $registry = new AgentCheckoutPaymentHandlerRegistry([new InMemoryUcpPaymentHandler('x', supports: false)]);
+
+        $this->assertNotInstanceOf(AgentCheckoutPaymentHandlerInterface::class, $registry->resolveForOrder(new Order()));
+    }
+}
+
+/**
+ * テスト用の UCP 決済ハンドラスタブ (本番の具象は決済プラグインが提供する).
+ */
+final readonly class InMemoryUcpPaymentHandler implements UcpPaymentHandlerInterface, AgentCheckoutPaymentHandlerInterface
+{
+    public function __construct(
+        private string $handlerId,
+        private bool $supports = false,
+    ) {
+    }
+
+    public function getHandlerId(): string
+    {
+        return $this->handlerId;
+    }
+
+    public function exchangePaymentToken(array $credential): array
+    {
+        return ['gateway_token' => 'tok_test', 'source' => $credential];
+    }
+
+    public function authorize(Order $order, array $paymentData): PaymentOutcome
+    {
+        return PaymentOutcome::completed();
+    }
+
+    public function capture(Order $order, array $paymentData): PaymentOutcome
+    {
+        return PaymentOutcome::completed();
+    }
+
+    public function supports(Order $order): bool
+    {
+        return $this->supports;
+    }
+}
+
+/**
+ * UCP ではない決済ハンドラのスタブ (ucpHandlers のフィルタ検証用).
+ */
+final readonly class InMemoryNonUcpPaymentHandler implements AgentCheckoutPaymentHandlerInterface
+{
+    public function authorize(Order $order, array $paymentData): PaymentOutcome
+    {
+        return PaymentOutcome::completed();
+    }
+
+    public function capture(Order $order, array $paymentData): PaymentOutcome
+    {
+        return PaymentOutcome::completed();
+    }
+
+    public function supports(Order $order): bool
+    {
+        return false;
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Security/AgentCommerceOAuth2AuthenticatorTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Security/AgentCommerceOAuth2AuthenticatorTest.php
new file mode 100644
index 00000000000..ef9e643e0fe
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Security/AgentCommerceOAuth2AuthenticatorTest.php
@@ -0,0 +1,146 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Security;
+
+use Eccube\Service\AgentCommerce\Security\AgentCommerceOAuth2Authenticator;
+use Eccube\Service\AgentCommerce\Security\AgentCommerceScopeRegistry;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpKernel\Exception\ServiceUnavailableHttpException;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+
+/**
+ * Layer 4a (unit, eccube-api4 不要) tests for AgentCommerceOAuth2Authenticator.
+ *
+ * Symfony 標準 AccessTokenHandlerInterface のスタブを用いて、トークン検証 + scope×protocol
+ * 照合の分岐 (200/401/403) と、リソースサーバー (eccube-api4) 未導入時の 503 フォールバックを検証する。
+ */
+final class AgentCommerceOAuth2AuthenticatorTest extends TestCase
+{
+    private AgentCommerceScopeRegistry $scopeRegistry;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->scopeRegistry = new AgentCommerceScopeRegistry();
+    }
+
+    /**
+     * 付与 scope を attributes に載せて UserBadge を返すスタブ handler.
+     *
+     * @param array<int, string> $scopes
+     */
+    private function handlerWithScopes(array $scopes): AccessTokenHandlerInterface
+    {
+        // 匿名 readonly クラスは PHP 8.3+ 専用のため (サポート下限 8.2)、名前付きクラスへ切り出す。
+        return new ScopeStubAccessTokenHandler($scopes);
+    }
+
+    /**
+     * 不正トークンで AuthenticationException を投げるスタブ handler.
+     */
+    private function handlerRejectingToken(): AccessTokenHandlerInterface
+    {
+        return new class implements AccessTokenHandlerInterface {
+            public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge
+            {
+                throw new BadCredentialsException('Invalid token.');
+            }
+        };
+    }
+
+    public function testValidTokenWithMatchingScopeReturnsUserBadge(): void
+    {
+        $authenticator = new AgentCommerceOAuth2Authenticator($this->scopeRegistry, $this->handlerWithScopes(['acp:checkout']));
+
+        $badge = $authenticator->authenticate('valid-token', 'acp', 'checkout');
+
+        $this->assertSame('agent-platform', $badge->getUserIdentifier(), 'valid token + matching scope は UserBadge を返す');
+    }
+
+    public function testSpaceDelimitedScopeAttributeIsAccepted(): void
+    {
+        $handler = new class implements AccessTokenHandlerInterface {
+            public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge
+            {
+                return new UserBadge('agent-platform', null, ['scope' => 'ucp:catalog ucp:checkout']);
+            }
+        };
+        $authenticator = new AgentCommerceOAuth2Authenticator($this->scopeRegistry, $handler);
+
+        $badge = $authenticator->authenticate('valid-token', 'ucp', 'checkout');
+
+        $this->assertSame('agent-platform', $badge->getUserIdentifier(), 'OAuth2 標準の空白区切り scope 文字列も解釈できる');
+    }
+
+    public function testInvalidTokenThrowsAuthenticationException(): void
+    {
+        $authenticator = new AgentCommerceOAuth2Authenticator($this->scopeRegistry, $this->handlerRejectingToken());
+
+        $this->expectException(BadCredentialsException::class);
+        $authenticator->authenticate('invalid-token', 'acp', 'checkout');
+    }
+
+    public function testMissingScopeThrowsAccessDenied(): void
+    {
+        // catalog scope しか持たないトークンで checkout を要求 -> 403。
+        $authenticator = new AgentCommerceOAuth2Authenticator($this->scopeRegistry, $this->handlerWithScopes(['acp:catalog']));
+
+        $this->expectException(AccessDeniedException::class);
+        $authenticator->authenticate('valid-token', 'acp', 'checkout');
+    }
+
+    public function testProtocolCrossoverIsDenied(): void
+    {
+        // ucp:checkout を持つトークンで acp:checkout を要求 -> protocol 越境で 403。
+        $authenticator = new AgentCommerceOAuth2Authenticator($this->scopeRegistry, $this->handlerWithScopes(['ucp:checkout']));
+
+        $this->expectException(AccessDeniedException::class);
+        $authenticator->authenticate('valid-token', 'acp', 'checkout');
+    }
+
+    public function testHandlerUnavailableThrowsServiceUnavailable(): void
+    {
+        // eccube-api4 未導入 = handler が null -> 503。
+        $authenticator = new AgentCommerceOAuth2Authenticator($this->scopeRegistry);
+
+        $this->assertFalse($authenticator->isAvailable(), 'handler 未注入時は isAvailable() が false');
+
+        $this->expectException(ServiceUnavailableHttpException::class);
+        $authenticator->authenticate('any-token', 'acp', 'checkout');
+    }
+}
+
+/**
+ * 付与 scope を attributes に載せて UserBadge を返すスタブ handler.
+ *
+ * 名前付き readonly クラス (PHP 8.2 で有効) として定義する。匿名 readonly クラスは
+ * PHP 8.3+ 専用で、サポート下限 (8.2) の CI で parse error になるため使用しない。
+ */
+final readonly class ScopeStubAccessTokenHandler implements AccessTokenHandlerInterface
+{
+    /** @param array<int, string> $scopes */
+    public function __construct(private array $scopes)
+    {
+    }
+
+    public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge
+    {
+        return new UserBadge('agent-platform', null, ['scopes' => $this->scopes]);
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Security/AgentCommerceScopeRegistryTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Security/AgentCommerceScopeRegistryTest.php
new file mode 100644
index 00000000000..d57738de9be
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Security/AgentCommerceScopeRegistryTest.php
@@ -0,0 +1,106 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Security;
+
+use Eccube\Service\AgentCommerce\Security\AgentCommerceScopeRegistry;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 1 (pure logic) tests for AgentCommerceScopeRegistry.
+ *
+ * Verifies the canonical "<protocol>:<capability>" scope vocabulary
+ * (acp:checkout/acp:catalog, ucp:checkout/ucp:cart/ucp:catalog/ucp:identity),
+ * rejection of malformed scopes, and that protocol crossover is denied.
+ */
+final class AgentCommerceScopeRegistryTest extends TestCase
+{
+    private AgentCommerceScopeRegistry $registry;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->registry = new AgentCommerceScopeRegistry();
+    }
+
+    #[DataProvider(methodName: 'validScopeProvider')]
+    public function testIsValidScopeAcceptsCanonicalScopes(string $scope): void
+    {
+        $this->assertTrue($this->registry->isValidScope($scope), sprintf('"%s" is a canonical <protocol>:<capability> scope and must be valid', $scope));
+    }
+
+    public static function validScopeProvider(): \Iterator
+    {
+        yield ['acp:checkout'];
+        yield ['acp:catalog'];
+        yield ['ucp:checkout'];
+        yield ['ucp:cart'];
+        yield ['ucp:catalog'];
+        yield ['ucp:identity'];
+    }
+
+    #[DataProvider(methodName: 'invalidScopeProvider')]
+    public function testIsValidScopeRejectsMalformedOrUnknownScopes(string $scope): void
+    {
+        $this->assertFalse($this->registry->isValidScope($scope), sprintf('"%s" is not a canonical scope and must be rejected', $scope));
+    }
+
+    public static function invalidScopeProvider(): \Iterator
+    {
+        yield 'three segments legacy form' => ['agent:catalog:read'];
+        yield 'unknown protocol' => ['foo:checkout'];
+        yield 'unknown capability for acp' => ['acp:identity'];
+        yield 'unknown capability for ucp' => ['ucp:feed'];
+        yield 'cart not valid for acp' => ['acp:cart'];
+        yield 'no colon' => ['checkout'];
+        yield 'empty string' => [''];
+        yield 'colon only' => [':'];
+    }
+
+    public function testScopesForProtocol(): void
+    {
+        $this->assertEqualsCanonicalizing(['acp:checkout', 'acp:catalog'], $this->registry->scopesForProtocol('acp'), 'scopesForProtocol("acp") must list every acp scope in <protocol>:<capability> form');
+        $this->assertEqualsCanonicalizing(['ucp:checkout', 'ucp:cart', 'ucp:catalog', 'ucp:identity'], $this->registry->scopesForProtocol('ucp'), 'scopesForProtocol("ucp") must list every ucp scope in <protocol>:<capability> form');
+    }
+
+    public function testScopesForUnknownProtocolIsEmpty(): void
+    {
+        $this->assertSame([], $this->registry->scopesForProtocol('unknown'), 'An unknown protocol must yield no scopes');
+    }
+
+    public function testSupportsGrantsWhenScopePresentForMatchingProtocol(): void
+    {
+        $granted = ['ucp:checkout', 'ucp:cart'];
+        $this->assertTrue($this->registry->supports('ucp', 'checkout', $granted), 'supports must be true when grantedScopes contains the exact <protocol>:<capability> and the protocol matches');
+    }
+
+    public function testSupportsDeniesWhenCapabilityNotGranted(): void
+    {
+        $granted = ['ucp:cart'];
+        $this->assertFalse($this->registry->supports('ucp', 'checkout', $granted), 'supports must be false when the required capability scope was not granted');
+    }
+
+    public function testSupportsDeniesProtocolCrossover(): void
+    {
+        $granted = ['acp:checkout'];
+        $this->assertFalse($this->registry->supports('ucp', 'checkout', $granted), 'Protocol crossover must be denied: an acp:checkout grant must not satisfy a ucp checkout request');
+    }
+
+    public function testSupportsDeniesEmptyGrants(): void
+    {
+        $this->assertFalse($this->registry->supports('acp', 'catalog', []), 'supports must be false when no scopes were granted');
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Security/UcpMessageSignerTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Security/UcpMessageSignerTest.php
new file mode 100644
index 00000000000..69248b02a65
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Security/UcpMessageSignerTest.php
@@ -0,0 +1,156 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Security;
+
+use Eccube\Service\AgentCommerce\Security\KeyStoreInterface;
+use Eccube\Service\AgentCommerce\Security\UcpMessageSigner;
+use phpseclib3\Crypt\PublicKeyLoader;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 5 (signing) tests for UcpMessageSigner.
+ *
+ * UCP uses RFC 9421 HTTP Message Signatures with EC P-256 (ES256) keys. These
+ * tests verify the sign/verify round trip, tamper rejection, JWK publication
+ * (public coordinates only, never the private "d" parameter), and key
+ * rotation via grace public keys.
+ *
+ * KeyStore is replaced by an in-memory stub so no filesystem/DB is touched.
+ */
+final class UcpMessageSignerTest extends TestCase
+{
+    private const PURPOSE = 'ucp_signing';
+
+    public function testSignThenVerifyRoundTrip(): void
+    {
+        $signer = new UcpMessageSigner($this->createKeyStore(), self::PURPOSE);
+        $base = '"@method": POST'."\n".'"@path": /checkout-sessions';
+
+        $signature = $signer->sign($base);
+
+        $this->assertNotSame('', $signature, 'sign must return a non-empty base64url signature');
+        $this->assertTrue($signer->verify($base, $signature), 'A signature produced by sign must verify against the same signature base');
+    }
+
+    public function testVerifyFailsOnTamperedSignatureBase(): void
+    {
+        $signer = new UcpMessageSigner($this->createKeyStore(), self::PURPOSE);
+        $base = 'original-signature-base';
+
+        $signature = $signer->sign($base);
+
+        $this->assertFalse($signer->verify('tampered-signature-base', $signature), 'A signature must not verify against a tampered signature base');
+    }
+
+    public function testVerifyFailsOnTamperedSignature(): void
+    {
+        $signer = new UcpMessageSigner($this->createKeyStore(), self::PURPOSE);
+        $base = 'signature-base';
+
+        $signature = $signer->sign($base);
+        // Flip the first character to corrupt the signature while keeping it base64url-ish.
+        $corrupted = ($signature[0] === 'A' ? 'B' : 'A').substr($signature, 1);
+
+        $this->assertFalse($signer->verify($base, $corrupted), 'A corrupted signature must not verify');
+    }
+
+    public function testGetPublicJwksExposesEcPublicKeyOnly(): void
+    {
+        $signer = new UcpMessageSigner($this->createKeyStore(), self::PURPOSE);
+
+        $jwks = $signer->getPublicJwks();
+
+        $this->assertNotEmpty($jwks, 'getPublicJwks must return at least the current key');
+        foreach ($jwks as $jwk) {
+            $this->assertSame('EC', $jwk['kty'], 'UCP signing keys must be EC keys (kty=EC)');
+            $this->assertSame('P-256', $jwk['crv'], 'UCP signing keys must use the P-256 curve');
+            $this->assertArrayHasKey('x', $jwk, 'EC public JWK must expose the x coordinate');
+            $this->assertArrayHasKey('y', $jwk, 'EC public JWK must expose the y coordinate');
+            $this->assertArrayNotHasKey('d', $jwk, 'Published JWK must never contain the private key parameter d');
+        }
+    }
+
+    public function testGetCurrentKidIsStableAndPresentInJwks(): void
+    {
+        $signer = new UcpMessageSigner($this->createKeyStore(), self::PURPOSE);
+
+        $kid = $signer->getCurrentKid();
+        $this->assertNotSame('', $kid, 'getCurrentKid must return a non-empty key id');
+
+        $kids = array_map(static fn (array $jwk) => $jwk['kid'] ?? null, $signer->getPublicJwks());
+        $this->assertContains($kid, $kids, 'The current kid must appear among the published JWKs');
+    }
+
+    /**
+     * Rotation: a signature created with the previous key must still verify on
+     * a signer whose current key is the new key and whose grace set contains
+     * the old public key.
+     */
+    public function testKeyRotationVerifiesWithGracePublicKey(): void
+    {
+        // Old signer with its own (auto-generated) private key.
+        $oldStore = $this->createKeyStore();
+        $oldSigner = new UcpMessageSigner($oldStore, self::PURPOSE);
+        $base = 'rotation-signature-base';
+        $oldSignature = $oldSigner->sign($base);
+
+        $oldPrivatePem = $oldStore->read(self::PURPOSE);
+        $this->assertNotNull($oldPrivatePem, 'The old key store must hold the generated private key');
+        $oldPublicPem = $this->derivePublicPem($oldPrivatePem);
+
+        // New signer with a fresh key, carrying the old public key in its grace set.
+        $newStore = $this->createKeyStore();
+        $newSigner = new UcpMessageSigner($newStore, self::PURPOSE, [$oldPublicPem]);
+
+        $this->assertTrue($newSigner->verify($base, $oldSignature), 'A signature made with the rotated-out key must still verify while its public key is in the grace set');
+
+        // And the grace public key must be advertised in the JWKs without leaking d.
+        $jwks = $newSigner->getPublicJwks();
+        $this->assertGreaterThanOrEqual(2, count($jwks), 'During grace, both the current and the grace public key must be published');
+        foreach ($jwks as $jwk) {
+            $this->assertArrayNotHasKey('d', $jwk, 'No published JWK (current or grace) may contain the private parameter d');
+        }
+    }
+
+    private function derivePublicPem(string $privatePem): string
+    {
+        $key = PublicKeyLoader::load($privatePem);
+
+        return $key->getPublicKey()->toString('PKCS8');
+    }
+
+    /**
+     * In-memory KeyStore stub: persists PEMs in an associative array keyed by
+     * purpose. No filesystem or DB access.
+     */
+    private function createKeyStore(): KeyStoreInterface
+    {
+        return new class implements KeyStoreInterface {
+            /** @var array<string, string> */
+            private array $store = [];
+
+            public function read(string $purpose): ?string
+            {
+                return $this->store[$purpose] ?? null;
+            }
+
+            public function write(string $purpose, string $pem): void
+            {
+                $this->store[$purpose] = $pem;
+            }
+        };
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/Rfc9421SignatureBaseBuilderTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/Rfc9421SignatureBaseBuilderTest.php
new file mode 100644
index 00000000000..34846cb588e
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/Rfc9421SignatureBaseBuilderTest.php
@@ -0,0 +1,80 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Ucp\Signature;
+
+use Eccube\Service\AgentCommerce\Ucp\Signature\Rfc9421SignatureBaseBuilder;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Layer 1 (純ロジック) tests for Rfc9421SignatureBaseBuilder.
+ *
+ * covered component から RFC 9421 signature base を再構成できること、@signature-params 行が
+ * 末尾に付くこと、未解決の派生 component や欠落ヘッダで例外になることを検証する。
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc9421 RFC 9421 Section 2.5
+ */
+final class Rfc9421SignatureBaseBuilderTest extends TestCase
+{
+    private Rfc9421SignatureBaseBuilder $builder;
+
+    protected function setUp(): void
+    {
+        $this->builder = new Rfc9421SignatureBaseBuilder();
+    }
+
+    public function testBuildsSignatureBaseForPostWithDerivedAndHeaderComponents(): void
+    {
+        $body = '{"line_items":[]}';
+        $request = Request::create('https://shop.example/ucp/checkout-sessions', Request::METHOD_POST, [], [], [], [], $body);
+        $request->headers->set('Content-Type', 'application/json');
+        $request->headers->set('Content-Digest', 'sha-256=:abc:');
+
+        $params = '("@method" "@authority" "@path" "content-digest" "content-type");keyid="k1";alg="ecdsa-p256-sha256"';
+        $base = $this->builder->build(
+            $request,
+            ['@method', '@authority', '@path', 'content-digest', 'content-type'],
+            $params,
+        );
+
+        $expected = implode("\n", [
+            '"@method": POST',
+            '"@authority": shop.example',
+            '"@path": /ucp/checkout-sessions',
+            '"content-digest": sha-256=:abc:',
+            '"content-type": application/json',
+            '"@signature-params": '.$params,
+        ]);
+
+        $this->assertSame($expected, $base);
+    }
+
+    public function testThrowsOnMissingSignedHeader(): void
+    {
+        $request = Request::create('https://shop.example/ucp/checkout-sessions', Request::METHOD_POST);
+
+        $this->expectException(\InvalidArgumentException::class);
+        $this->builder->build($request, ['content-digest'], '("content-digest")');
+    }
+
+    public function testThrowsOnUnsupportedDerivedComponent(): void
+    {
+        $request = Request::create('https://shop.example/ucp/checkout-sessions', Request::METHOD_POST);
+
+        $this->expectException(\InvalidArgumentException::class);
+        $this->builder->build($request, ['@unknown'], '("@unknown")');
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpAgentHeaderTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpAgentHeaderTest.php
new file mode 100644
index 00000000000..5e6ca45ba95
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpAgentHeaderTest.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Ucp\Signature;
+
+use Eccube\Service\AgentCommerce\Ucp\Signature\UcpAgentHeader;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 1 (純ロジック) tests for UcpAgentHeader.
+ *
+ * UCP-Agent ヘッダ (RFC 8941 Dictionary) の profile 抽出と HTTPS 必須を検証する。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP signatures.md (UCP-Agent header)
+ */
+final class UcpAgentHeaderTest extends TestCase
+{
+    public function testParsesProfileUrl(): void
+    {
+        $header = UcpAgentHeader::parse('profile="https://agent.example/.well-known/ucp"');
+
+        $this->assertSame('https://agent.example/.well-known/ucp', $header->profileUrl);
+        $this->assertSame('agent.example', $header->host());
+    }
+
+    public function testRejectsMissingProfile(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        UcpAgentHeader::parse('version="1"');
+    }
+
+    public function testRejectsNonHttpsProfile(): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('HTTPS');
+        UcpAgentHeader::parse('profile="http://agent.example/.well-known/ucp"');
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpProfileFetcherTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpProfileFetcherTest.php
new file mode 100644
index 00000000000..765167a84f6
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpProfileFetcherTest.php
@@ -0,0 +1,99 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Ucp\Signature;
+
+use Eccube\Service\AgentCommerce\Exception\UcpSignatureException;
+use Eccube\Service\AgentCommerce\Ucp\Signature\UcpProfileFetcher;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+
+/**
+ * Layer 4 (SSRF 対策) tests for UcpProfileFetcher.
+ *
+ * profile URL は UCP-Agent ヘッダ由来 (エージェント供給) のため、内部アドレスへの到達を
+ * HTTP リクエスト前に遮断することを検証する。HTTPS 必須・公開アドレス限定。
+ */
+final class UcpProfileFetcherTest extends TestCase
+{
+    /**
+     * @return MockHttpClient HTTP リクエストが発生したら失敗する (SSRF 遮断はリクエスト前)
+     */
+    private function failingClient(): MockHttpClient
+    {
+        return new MockHttpClient(static function (): MockResponse {
+            throw new \LogicException('HTTP request must not be performed for a blocked host.');
+        });
+    }
+
+    public function testRejectsNonHttps(): void
+    {
+        $fetcher = new UcpProfileFetcher($this->failingClient());
+
+        $this->expectException(UcpSignatureException::class);
+        $fetcher->fetchSigningKeys('http://agent.example/.well-known/ucp');
+    }
+
+    public function testRejectsLoopbackLiteral(): void
+    {
+        $fetcher = new UcpProfileFetcher($this->failingClient());
+
+        $this->expectException(UcpSignatureException::class);
+        $this->expectExceptionMessage('non-public address');
+        $fetcher->fetchSigningKeys('https://127.0.0.1/.well-known/ucp');
+    }
+
+    public function testRejectsCloudMetadataLinkLocalLiteral(): void
+    {
+        $fetcher = new UcpProfileFetcher($this->failingClient());
+
+        $this->expectException(UcpSignatureException::class);
+        $this->expectExceptionMessage('non-public address');
+        // クラウドメタデータエンドポイント (169.254.169.254) は link-local。
+        $fetcher->fetchSigningKeys('https://169.254.169.254/.well-known/ucp');
+    }
+
+    public function testRejectsPrivateRangeResolution(): void
+    {
+        // ドメインが RFC1918 アドレスへ解決するケース (DNS リバインディング型攻撃)。
+        $fetcher = new UcpProfileFetcher($this->failingClient(), static fn (string $host): array => ['10.0.0.5']);
+
+        $this->expectException(UcpSignatureException::class);
+        $this->expectExceptionMessage('non-public address');
+        $fetcher->fetchSigningKeys('https://internal.attacker.example/.well-known/ucp');
+    }
+
+    public function testAllowsPublicHostAndReturnsKeys(): void
+    {
+        $profile = ['signing_keys' => [['kid' => 'k1', 'kty' => 'EC', 'crv' => 'P-256', 'x' => 'AA', 'y' => 'BB']]];
+        $client = new MockHttpClient(new MockResponse((string) json_encode($profile), ['http_code' => 200]));
+        $fetcher = new UcpProfileFetcher($client, static fn (string $host): array => ['93.184.216.34']);
+
+        $keys = $fetcher->fetchSigningKeys('https://agent.example/.well-known/ucp');
+
+        $this->assertCount(1, $keys);
+        $this->assertSame('k1', $keys[0]['kid']);
+    }
+
+    public function testRejectsUnresolvableHost(): void
+    {
+        $fetcher = new UcpProfileFetcher($this->failingClient(), static fn (string $host): false => false);
+
+        $this->expectException(UcpSignatureException::class);
+        $this->expectExceptionMessage('could not be resolved');
+        $fetcher->fetchSigningKeys('https://nx.example/.well-known/ucp');
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpRequestSignatureVerifierTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpRequestSignatureVerifierTest.php
new file mode 100644
index 00000000000..758a5ab3f24
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/Signature/UcpRequestSignatureVerifierTest.php
@@ -0,0 +1,182 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Ucp\Signature;
+
+use Eccube\Service\AgentCommerce\Exception\UcpSignatureException;
+use Eccube\Service\AgentCommerce\Ucp\Signature\Rfc9421SignatureBaseBuilder;
+use Eccube\Service\AgentCommerce\Ucp\Signature\UcpProfileFetcher;
+use Eccube\Service\AgentCommerce\Ucp\Signature\UcpRequestSignatureVerifier;
+use phpseclib3\Crypt\EC;
+use phpseclib3\Crypt\EC\PrivateKey;
+use phpseclib3\Crypt\EC\PublicKey;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Layer 4 (認証/署名) tests for UcpRequestSignatureVerifier.
+ *
+ * RFC 9421 / ES256 のインバウンド署名検証を、実 EC 鍵で署名したリクエストとモック profile を用いて
+ * 検証する。正常系のほか、改竄署名・別鍵・Content-Digest 不一致・許可外ドメインを reject することを確認する。
+ *
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP signatures.md (RFC 9421, ES256, Content-Digest)
+ * @see https://www.rfc-editor.org/rfc/rfc9421
+ */
+final class UcpRequestSignatureVerifierTest extends TestCase
+{
+    private const KID = 'agent-key-1';
+
+    private const PROFILE_URL = 'https://agent.example/.well-known/ucp';
+
+    private PrivateKey $privateKey;
+
+    private Rfc9421SignatureBaseBuilder $baseBuilder;
+
+    protected function setUp(): void
+    {
+        /** @var PrivateKey $key */
+        $key = EC::createKey('secp256r1');
+        $this->privateKey = $key;
+        $this->baseBuilder = new Rfc9421SignatureBaseBuilder();
+    }
+
+    public function testVerifiesValidSignature(): void
+    {
+        $request = $this->signedRequest($this->privateKey->getPublicKey());
+        $verifier = $this->verifierWithKey($this->privateKey->getPublicKey());
+
+        $agent = $verifier->verify($request);
+
+        $this->assertSame(self::PROFILE_URL, $agent->profileUrl, '正しい署名は検証を通過しエージェント情報を返す');
+    }
+
+    public function testRejectsTamperedSignature(): void
+    {
+        $request = $this->signedRequest($this->privateKey->getPublicKey(), tamperSignature: true);
+        $verifier = $this->verifierWithKey($this->privateKey->getPublicKey());
+
+        $this->expectException(UcpSignatureException::class);
+        $verifier->verify($request);
+    }
+
+    public function testRejectsWrongPublicKey(): void
+    {
+        /** @var PrivateKey $other */
+        $other = EC::createKey('secp256r1');
+        $request = $this->signedRequest($this->privateKey->getPublicKey());
+        // profile は別人の公開鍵を広告する。
+        $verifier = $this->verifierWithKey($other->getPublicKey());
+
+        $this->expectException(UcpSignatureException::class);
+        $verifier->verify($request);
+    }
+
+    public function testRejectsContentDigestMismatch(): void
+    {
+        $request = $this->signedRequest($this->privateKey->getPublicKey());
+        // ボディを差し替えて Content-Digest を不整合にする。
+        $request->headers->set('Content-Digest', 'sha-256=:'.base64_encode(hash('sha256', 'tampered', true)).':');
+        $verifier = $this->verifierWithKey($this->privateKey->getPublicKey());
+
+        $this->expectException(UcpSignatureException::class);
+        $this->expectExceptionMessage('Content-Digest');
+        $verifier->verify($request);
+    }
+
+    public function testRejectsDisallowedDomain(): void
+    {
+        $request = $this->signedRequest($this->privateKey->getPublicKey());
+        $verifier = $this->verifierWithKey($this->privateKey->getPublicKey(), ['trusted.example']);
+
+        $this->expectException(UcpSignatureException::class);
+        $this->expectExceptionMessage('not allowed');
+        $verifier->verify($request);
+    }
+
+    public function testRejectsMissingUcpAgentHeader(): void
+    {
+        $request = Request::create('https://shop.example/ucp/checkout-sessions', Request::METHOD_POST, [], [], [], [], '{}');
+        $verifier = $this->verifierWithKey($this->privateKey->getPublicKey());
+
+        $this->expectException(UcpSignatureException::class);
+        $this->expectExceptionMessage('UCP-Agent');
+        $verifier->verify($request);
+    }
+
+    /**
+     * 指定公開鍵を signing_keys[] に広告する profile を返す verifier を組み立てる.
+     *
+     * @param list<string> $allowedDomains
+     */
+    private function verifierWithKey(PublicKey $advertisedKey, array $allowedDomains = []): UcpRequestSignatureVerifier
+    {
+        $profile = ['signing_keys' => [$this->toJwk($advertisedKey, self::KID)]];
+        $httpClient = new MockHttpClient(new MockResponse((string) json_encode($profile), ['http_code' => 200]));
+        // テストの profile ホスト (agent.example) は実解決できないため、公開 IP へ解決するスタブを注入する。
+        $fetcher = new UcpProfileFetcher($httpClient, static fn (string $host): array => ['93.184.216.34']);
+
+        return new UcpRequestSignatureVerifier($fetcher, $this->baseBuilder, $allowedDomains);
+    }
+
+    /**
+     * 実 EC 秘密鍵で署名した POST リクエストを生成する.
+     */
+    private function signedRequest(PublicKey $publicKey, bool $tamperSignature = false): Request
+    {
+        $body = '{"line_items":[{"item":{"id":"1"},"quantity":1}]}';
+        $request = Request::create('https://shop.example/ucp/checkout-sessions', Request::METHOD_POST, [], [], [], [], $body);
+        $request->headers->set('UCP-Agent', sprintf('profile="%s"', self::PROFILE_URL));
+        $request->headers->set('Content-Type', 'application/json');
+        $request->headers->set('Content-Digest', 'sha-256=:'.base64_encode(hash('sha256', $body, true)).':');
+
+        $components = ['@method', '@authority', '@path', 'ucp-agent', 'content-digest', 'content-type'];
+        $params = sprintf('(%s);keyid="%s";alg="ecdsa-p256-sha256"', implode(' ', array_map(static fn (string $c): string => '"'.$c.'"', $components)), self::KID);
+
+        $base = $this->baseBuilder->build($request, $components, $params);
+        $raw = $this->privateKey->withSignatureFormat('IEEE')->withHash('sha256')->sign($base);
+        if ($tamperSignature) {
+            $raw[0] = $raw[0] === "\x00" ? "\x01" : "\x00";
+        }
+
+        $request->headers->set('Signature-Input', 'sig1='.$params);
+        $request->headers->set('Signature', 'sig1=:'.base64_encode((string) $raw).':');
+
+        return $request;
+    }
+
+    /**
+     * 公開鍵を kid 付き EC JWK へ変換する.
+     *
+     * @return array<string, mixed>
+     */
+    private function toJwk(PublicKey $publicKey, string $kid): array
+    {
+        /** @var array<string, mixed> $decoded */
+        $decoded = json_decode($publicKey->toString('JWK'), true);
+        if (isset($decoded['keys'][0]) && is_array($decoded['keys'][0])) {
+            $decoded = $decoded['keys'][0];
+        }
+
+        return [
+            'kid' => $kid,
+            'kty' => 'EC',
+            'crv' => $decoded['crv'] ?? 'P-256',
+            'x' => $decoded['x'],
+            'y' => $decoded['y'],
+        ];
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Ucp/UcpMessageMapperTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/UcpMessageMapperTest.php
new file mode 100644
index 00000000000..e86e0267299
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/UcpMessageMapperTest.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Ucp;
+
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessage;
+use Eccube\Service\AgentCommerce\CheckoutSession\AgentCheckoutMessageLevel;
+use Eccube\Service\AgentCommerce\Ucp\UcpMessageMapper;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 1 (純ロジック) tests for UcpMessageMapper.
+ *
+ * 中立メッセージ -> UCP messages[] (type/severity/content) の変換を検証する。
+ */
+final class UcpMessageMapperTest extends TestCase
+{
+    private UcpMessageMapper $mapper;
+
+    protected function setUp(): void
+    {
+        $this->mapper = new UcpMessageMapper();
+    }
+
+    public function testErrorMessageCarriesRecoverableSeverity(): void
+    {
+        $result = $this->mapper->toUcpMessages([
+            new AgentCheckoutMessage(AgentCheckoutMessageLevel::ERROR, '在庫が不足しています'),
+        ]);
+
+        $this->assertCount(1, $result);
+        $this->assertSame('error', $result[0]['type']);
+        $this->assertSame('recoverable', $result[0]['severity'], 'PurchaseFlow 由来のエラーは update で再試行可能なため recoverable');
+        $this->assertSame('在庫が不足しています', $result[0]['content']);
+        $this->assertSame('plain', $result[0]['content_type']);
+    }
+
+    public function testWarningAndInfoHaveNoSeverity(): void
+    {
+        $result = $this->mapper->toUcpMessages([
+            new AgentCheckoutMessage(AgentCheckoutMessageLevel::WARNING, '警告'),
+            new AgentCheckoutMessage(AgentCheckoutMessageLevel::INFO, '案内'),
+        ]);
+
+        $this->assertSame('warning', $result[0]['type']);
+        $this->assertArrayNotHasKey('severity', $result[0]);
+        $this->assertSame('info', $result[1]['type']);
+        $this->assertArrayNotHasKey('severity', $result[1]);
+    }
+
+    public function testRequiresEscalationDetectsBuyerInputSeverity(): void
+    {
+        $this->assertFalse($this->mapper->requiresEscalation([['type' => 'error', 'severity' => 'recoverable']]));
+        $this->assertTrue($this->mapper->requiresEscalation([['type' => 'error', 'severity' => 'requires_buyer_input']]));
+        $this->assertTrue($this->mapper->requiresEscalation([['type' => 'error', 'severity' => 'requires_buyer_review']]));
+    }
+}
diff --git a/tests/Eccube/Tests/Service/AgentCommerce/Ucp/UcpStatusMapperTest.php b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/UcpStatusMapperTest.php
new file mode 100644
index 00000000000..9e916ee78c5
--- /dev/null
+++ b/tests/Eccube/Tests/Service/AgentCommerce/Ucp/UcpStatusMapperTest.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Service\AgentCommerce\Ucp;
+
+use Eccube\Entity\Master\CheckoutSessionStatus;
+use Eccube\Service\AgentCommerce\Ucp\UcpStatusMapper;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Layer 1 (純ロジック) tests for UcpStatusMapper.
+ *
+ * 正規化ステータスマスタ -> UCP status 語彙の境界変換 (ready -> ready_for_complete) を検証する。
+ */
+final class UcpStatusMapperTest extends TestCase
+{
+    private UcpStatusMapper $mapper;
+
+    protected function setUp(): void
+    {
+        $this->mapper = new UcpStatusMapper();
+    }
+
+    private function makeStatus(int $id): CheckoutSessionStatus
+    {
+        $status = new CheckoutSessionStatus();
+        $status->setId($id);
+
+        return $status;
+    }
+
+    public function testReadyMapsToReadyForComplete(): void
+    {
+        $this->assertSame('ready_for_complete', $this->mapper->toUcpStatus($this->makeStatus(CheckoutSessionStatus::READY)), 'EC-CUBE の ready は UCP の ready_for_complete へ変換する');
+    }
+
+    public function testIncompleteMapsToIncomplete(): void
+    {
+        $this->assertSame('incomplete', $this->mapper->toUcpStatus($this->makeStatus(CheckoutSessionStatus::INCOMPLETE)));
+    }
+
+    public function testCompletedAndCanceled(): void
+    {
+        $this->assertSame('completed', $this->mapper->toUcpStatus($this->makeStatus(CheckoutSessionStatus::COMPLETED)));
+        $this->assertSame('canceled', $this->mapper->toUcpStatus($this->makeStatus(CheckoutSessionStatus::CANCELED)));
+    }
+
+    public function testExpiredFallsBackToCanceled(): void
+    {
+        $this->assertSame('canceled', $this->mapper->toUcpStatus($this->makeStatus(CheckoutSessionStatus::EXPIRED)), 'UCP 語彙に無い expired は終端の canceled として表現する');
+    }
+
+    public function testNullStatusDefaultsToIncomplete(): void
+    {
+        $this->assertSame('incomplete', $this->mapper->toUcpStatus(null));
+    }
+}
diff --git a/tests/Eccube/Tests/Web/AgentCommerce/UcpCheckoutControllerTest.php b/tests/Eccube/Tests/Web/AgentCommerce/UcpCheckoutControllerTest.php
new file mode 100644
index 00000000000..af569ffab74
--- /dev/null
+++ b/tests/Eccube/Tests/Web/AgentCommerce/UcpCheckoutControllerTest.php
@@ -0,0 +1,186 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Web\AgentCommerce;
+
+use Eccube\Entity\ProductClass;
+use Eccube\Repository\BaseInfoRepository;
+use Eccube\Tests\EccubeTestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Layer 2 (エンドポイント単体) tests for UcpCheckoutController.
+ *
+ * UCP checkout の 5 エンドポイントを HTTP レベルで検証する。create→get→complete のハッピーパス、
+ * 住所未確定の incomplete、他セッション遮断 (404)、Idempotency-Key リプレイ、cancel を確認する。
+ *
+ * @see https://github.com/EC-CUBE/ec-cube/issues/6574
+ * @see https://github.com/Universal-Commerce-Protocol/ucp UCP checkout-rest.md (v2026-04-08)
+ */
+final class UcpCheckoutControllerTest extends EccubeTestCase
+{
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $baseInfo = self::getContainer()->get(BaseInfoRepository::class)->get();
+        $baseInfo->setUcpCheckoutEnabled(true);
+        $this->entityManager->flush();
+    }
+
+    private function createPurchasableProductClass(string $stock = '100'): ProductClass
+    {
+        $Product = $this->createProduct('UCP チェックアウトテスト商品', 1);
+        /** @var ProductClass $ProductClass */
+        $ProductClass = $Product->getProductClasses()[0];
+        $ProductClass->setStock($stock);
+        $ProductClass->setStockUnlimited(false);
+        $this->entityManager->flush();
+
+        return $ProductClass;
+    }
+
+    /**
+     * @param array<string, mixed> $body
+     *
+     * @return array<string, mixed>
+     */
+    private function postJson(string $uri, array $body, string $method = 'POST', array $server = []): array
+    {
+        $this->client->request($method, $uri, [], [], array_merge(['CONTENT_TYPE' => 'application/json'], $server), (string) json_encode($body));
+        $response = $this->client->getResponse();
+
+        /** @var array<string, mixed> $decoded */
+        $decoded = json_decode((string) $response->getContent(), true);
+
+        return $decoded;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function createPayload(int $productClassId, bool $withAddress = true): array
+    {
+        $payload = [
+            'currency' => 'JPY',
+            'line_items' => [['item' => ['id' => (string) $productClassId], 'quantity' => 1]],
+            'buyer' => ['first_name' => '太郎', 'last_name' => '山田', 'email' => 'ucp-agent@example.com', 'phone_number' => '0612345678'],
+        ];
+
+        if ($withAddress) {
+            $payload['fulfillment'] = [
+                'destinations' => [[
+                    'id' => 'dest-1',
+                    'last_name' => '山田',
+                    'first_name' => '太郎',
+                    'postal_code' => '5300001',
+                    'address_region' => '大阪府',
+                    'address_locality' => '大阪市北区',
+                    'street_address' => '梅田1-1-1',
+                    'phone_number' => '0612345678',
+                ]],
+            ];
+        }
+
+        return $payload;
+    }
+
+    public function testCreateGetCompleteHappyPath(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+
+        $created = $this->postJson('/ucp/checkout-sessions', $this->createPayload((int) $ProductClass->getId()));
+        $this->assertSame(Response::HTTP_CREATED, $this->client->getResponse()->getStatusCode(), 'create は 201 を返す');
+        $this->assertSame('2026-04-08', $created['ucp']['version'], 'UCP バージョンを広告する');
+        $this->assertSame('ready_for_complete', $created['status'], '住所と在庫が揃えば ready_for_complete');
+        $this->assertNotEmpty($created['id']);
+        $this->assertSame('JPY', $created['currency']);
+
+        // totals: subtotal/total が必ず1つずつ存在する (MUST)。
+        $types = array_column($created['totals'], 'type');
+        $this->assertCount(1, array_keys($types, 'subtotal', true), 'totals は subtotal をちょうど1つ含む');
+        $this->assertCount(1, array_keys($types, 'total', true), 'totals は total をちょうど1つ含む');
+
+        // links: privacy_policy / terms_of_service (法令順守のため必須)。
+        $linkTypes = array_column($created['links'], 'type');
+        $this->assertContains('privacy_policy', $linkTypes);
+        $this->assertContains('terms_of_service', $linkTypes);
+
+        $sessionId = $created['id'];
+
+        // GET 取得。
+        $this->client->request(Request::METHOD_GET, '/ucp/checkout-sessions/'.$sessionId);
+        $this->assertSame(Response::HTTP_OK, $this->client->getResponse()->getStatusCode(), 'get は 200');
+
+        // complete。
+        $completed = $this->postJson('/ucp/checkout-sessions/'.$sessionId.'/complete', []);
+        $this->assertSame(Response::HTTP_OK, $this->client->getResponse()->getStatusCode(), 'complete は 200');
+        $this->assertSame('completed', $completed['status'], 'complete 後は completed');
+        $this->assertArrayHasKey('order', $completed, 'complete 後は order を含む (MUST)');
+        $this->assertNotEmpty($completed['order']['id']);
+        $this->assertNotEmpty($completed['order']['permalink_url'], 'order.permalink_url は必須');
+    }
+
+    public function testCreateWithoutAddressIsIncomplete(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+
+        $created = $this->postJson('/ucp/checkout-sessions', $this->createPayload((int) $ProductClass->getId(), withAddress: false));
+
+        $this->assertSame(Response::HTTP_CREATED, $this->client->getResponse()->getStatusCode(), (string) $this->client->getResponse()->getContent());
+        $this->assertSame('incomplete', $created['status'], '住所未確定なら incomplete');
+        $this->assertNotEmpty($created['messages'], '住所要求のメッセージを含む');
+        $this->assertSame('recoverable', $created['messages'][0]['severity'], '住所は update で再入力可能なため recoverable');
+    }
+
+    public function testGetUnknownSessionReturns404(): void
+    {
+        $this->client->request(Request::METHOD_GET, '/ucp/checkout-sessions/ucp_cs_does_not_exist');
+        $this->assertSame(Response::HTTP_NOT_FOUND, $this->client->getResponse()->getStatusCode(), '存在しない/他マーチャントのセッションは 404');
+    }
+
+    public function testIdempotentCreateReplaysSameSession(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $payload = $this->createPayload((int) $ProductClass->getId());
+
+        $first = $this->postJson('/ucp/checkout-sessions', $payload, 'POST', ['HTTP_Idempotency-Key' => 'idem-key-1']);
+        $second = $this->postJson('/ucp/checkout-sessions', $payload, 'POST', ['HTTP_Idempotency-Key' => 'idem-key-1']);
+
+        $this->assertSame($first['id'], $second['id'], 'MUST NOT re-execute: 同一キーは同じセッションをリプレイする');
+    }
+
+    public function testCancel(): void
+    {
+        $ProductClass = $this->createPurchasableProductClass('100');
+        $created = $this->postJson('/ucp/checkout-sessions', $this->createPayload((int) $ProductClass->getId()));
+        $sessionId = $created['id'];
+
+        $canceled = $this->postJson('/ucp/checkout-sessions/'.$sessionId.'/cancel', []);
+        $this->assertSame(Response::HTTP_OK, $this->client->getResponse()->getStatusCode(), (string) $this->client->getResponse()->getContent());
+        $this->assertSame('canceled', $canceled['status'], 'cancel 後は canceled');
+    }
+
+    public function testDisabledFlagReturns404(): void
+    {
+        $baseInfo = self::getContainer()->get(BaseInfoRepository::class)->get();
+        $baseInfo->setUcpCheckoutEnabled(false);
+        $this->entityManager->flush();
+
+        $this->client->request(Request::METHOD_GET, '/ucp/checkout-sessions/ucp_cs_anything');
+        $this->assertSame(Response::HTTP_NOT_FOUND, $this->client->getResponse()->getStatusCode(), 'ucp_checkout_enabled=false なら 404');
+    }
+}