PHPackages angeo/module-ucp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [API Development](/categories/api) 4. / 5. angeo/module-ucp ActiveMagento2-module[API Development](/categories/api) angeo/module-ucp ================ Spec-compliant Universal Commerce Protocol (UCP) profile generator for Magento 2. Generates /.well-known/ucp at protocol version 2026-04-08 with ECDSA P-256 signing keys, declared capabilities, and proper cache headers. v0.1.x is profile-only — catalog, cart, checkout endpoints land in later releases. 0.1.1-beta(2w ago)03↓100%1MITPHPPHP >=8.2 Since May 23Pushed 2w agoCompare [ Source](https://github.com/angeo-dev/module-ucp)[ Packagist](https://packagist.org/packages/angeo/module-ucp)[ RSS](/packages/angeo-module-ucp/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (7)Versions (3)Used By (0) [![Packagist Version](https://camo.githubusercontent.com/0d3c60296283ac543c54c8688c41e2fffa90b2704d248e5c9948cb9eb20ab682/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f616e67656f2f6d6f64756c652d7563702e737667)](https://packagist.org/packages/angeo/module-ucp)[![License](https://camo.githubusercontent.com/7013272bd27ece47364536a221edb554cd69683b68a46fc0ee96881174c4214c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e737667)](LICENSE)[![PHP](https://camo.githubusercontent.com/d840cef9807c8f76051ad687841d67f4d830c84e0d83236968e53124ef6742d5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253345253344382e322d3838393242462e737667)](https://php.net) angeo/module-ucp ================ [](#angeomodule-ucp) **Spec-compliant Universal Commerce Protocol (UCP) profile generator for Magento 2.** Generates `/.well-known/ucp` at protocol version `2026-04-08` with ECDSA P-256 signing keys, declared capabilities, and proper cache headers — the discovery layer AI agents fetch first when interacting with your store. > **v0.1.x is the profile-only release line.** It exposes a valid UCP profile to AI platforms. The actual REST endpoints for catalog, cart, checkout and order land in later versions. Enabling a capability here adds it to the advertised profile but does NOT implement the matching endpoint — leave capabilities disabled in production until the matching endpoint module is installed. The current pre-release is `0.1.1-beta`; install it explicitly per [Installation](#installation) below. --- What it does ------------ [](#what-it-does) - Serves a spec-compliant UCP profile at `https://yourstore.com/.well-known/ucp` - Declares the `dev.ucp.shopping` REST service binding - Lets you toggle which capabilities to advertise: catalog, cart, checkout, order, identity\_linking - Generates ECDSA P-256 signing keys (JWK + PEM) via CLI - Returns correct `Cache-Control: public, max-age=300` headers - Returns `404 ucp_not_advertised` when the module is disabled — never a misleading empty profile --- Requirements ------------ [](#requirements) RequirementVersionMagento2.4.7+PHP8.2 or 8.3 or 8.4OpenSSL extensionenabled--- Installation ------------ [](#installation) The current `0.1.x` line is a beta — install with the explicit `@beta` stability qualifier: ``` composer require angeo/module-ucp:^0.1@beta bin/magento module:enable Angeo_Ucp bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` The `@beta` qualifier scopes the stability exception to this package only — your project's other dependencies stay locked to whatever `minimum-stability` you have configured. Once the `0.1.x` line goes stable (planned after a short field-test window) the installation command will simply be `composer require angeo/module-ucp`. > **Note on `0.1.0`:** an early `0.1.0` tag was published before the composer.json was valid and before `magento/module-store` was declared as a dependency. `0.1.0` is treated as yanked — start from `0.1.1-beta` or later. --- Quick start ----------- [](#quick-start) ### 1. Generate signing keys [](#1-generate-signing-keys) ``` bin/magento angeo:ucp:keys:generate ``` This generates an ECDSA P-256 keypair, saves the **public** JWK to config, and prints the **private** PEM to stdout exactly once. Copy the private PEM into `app/etc/env.php`: ``` 'ucp' => [ 'signing_keys' => [ 'angeo-ucp-2026-abcd' => '', ], ], ``` ### 2. Enable the profile in admin [](#2-enable-the-profile-in-admin) Stores → Configuration → Angeo → UCP → General → **Advertise UCP Profile: Yes**. ### 3. Verify [](#3-verify) ``` curl -s https://yourstore.com/.well-known/ucp | python3 -m json.tool ``` Expected output: ``` { "ucp": { "version": "2026-04-08", "services": { "dev.ucp.shopping": [ { "version": "2026-04-08", "spec": "https://ucp.dev/2026-04-08/specification/overview", "transport": "rest", "endpoint": "https://yourstore.com/rest/V1/ucp", "schema": "https://ucp.dev/2026-04-08/services/shopping/rest.openapi.json" } ] }, "capabilities": {} }, "signing_keys": [ { "kid": "angeo-ucp-2026-abcd", "kty": "EC", "crv": "P-256", "x": "...", "y": "...", "use": "sig", "alg": "ES256" } ] } ``` ### 4. Validate (optional) [](#4-validate-optional) ``` bin/magento angeo:ucp:validate --json ``` Prints a green pass if the profile is well-formed; non-zero exit on validation failure (useful as a cron healthcheck). --- Admin configuration ------------------- [](#admin-configuration) PathFieldPurposeGeneral → Advertise UCP ProfileYes/NoMaster switch for `/.well-known/ucp`Capabilities → CatalogYes/NoAdvertise `dev.ucp.shopping.catalog`Capabilities → CartYes/NoAdvertise `dev.ucp.shopping.cart`Capabilities → CheckoutYes/NoAdvertise `dev.ucp.shopping.checkout`Capabilities → OrderYes/NoAdvertise `dev.ucp.shopping.order`Capabilities → Identity LinkingYes/NoAdvertise `dev.ucp.common.identity_linking`Transport → REST Endpoint URLURLOverride the default `{baseUrl}/rest/V1/ucp`Keys → Public JWKtextareaPopulated by `keys:generate`All capability and transport settings are scoped to the **store view** — multi-store deployments can advertise different profiles per storefront. > **Multi-store on a single domain:** `/.well-known/ucp` is a single path on the host, so Magento's StoreResolver picks one store view to render it. If multiple store views share a host, the bare host resolves to one of them (typically the default), and that store's profile is what AI agents see. To advertise different UCP profiles per store, give each store its own hostname. --- CLI commands ------------ [](#cli-commands) CommandPurpose`bin/magento angeo:ucp:keys:generate [--force]`Generate a new P-256 keypair; print private PEM once, save public JWK to config`bin/magento angeo:ucp:validate [--json]`Validate the generated profile structure; optionally print the JSON--- Architecture ------------ [](#architecture) ``` HTTP request: GET /.well-known/ucp │ ▼ Angeo\Ucp\Controller\Router (sortOrder=22, runs before CMS router) │ ▼ Angeo\Ucp\Controller\WellKnown\Ucp (HttpGetActionInterface) │ ▼ Angeo\Ucp\Model\ProfileGenerator ← Angeo\Ucp\Model\Config │ │ │ └── reads core_config_data ▼ JSON response with: - Content-Type: application/json - Cache-Control: public, max-age=300 - X-UCP-Version: 2026-04-08 ``` --- Security model -------------- [](#security-model) - **Private keys are never stored in the database.** The `keys:generate` command prints them once to stdout. Operators are responsible for placing them in `app/etc/env.php` or a secrets manager. - **`Config::getPublicSigningKeys()` strips private JWK fields** (`d`, `p`, `q`, `dp`, `dq`, `qi`) as defence-in-depth before serialization, in case private material ever ends up in config by mistake. - **HTTPS-only by design.** The UCP spec requires HTTPS for `/.well-known/ucp`; this module's audit check refuses a non-HTTPS endpoint URL. - **Cache headers comply with the spec** (`public`, `max-age >= 60`). The module sends `max-age=300`. --- Testing ------- [](#testing) ``` composer install vendor/bin/phpunit --testsuite=unit ``` Three test classes cover the critical paths: - `ProfileGeneratorTest` — protocol version, namespace correctness, JSON encoding, capability toggling - `JwkFormatterTest` — RFC 7518 base64url coordinate encoding, 32-byte P-256 width, private-field rejection - `ConfigTest` — store-base-url fallback, private-key sanitization CI runs the matrix PHP 8.2 / 8.3 / 8.4 on every push. --- Roadmap ------- [](#roadmap) VersionScope**0.1.1-beta** *(current)*Profile generator, signing keys, admin UI, CLI, tests, CI**0.2.0**`dev.ucp.shopping.catalog` real endpoint (search + lookup) backed by `Magento_Catalog`**0.3.0**`UCP-Agent` header parsing, platform profile fetching, capability intersection**0.4.0**RFC 9421 HTTP Message Signatures for outgoing responses**0.5.0**Cart capability**1.0.0**Production-ready full UCP shopping verticalRoadmap will shift as the UCP specification evolves. --- License ------- [](#license) MIT License — see [LICENSE](LICENSE) Maintained by **[Ievgenii Gryshkun](https://angeo.dev)** · ### Health Score 37 — LowBetter than 81% of packages Maintenance96 Actively maintained with recent releases Popularity5 Limited adoption so far Community9 Small or concentrated contributor base Maturity33 Early-stage or recently created project Bus Factor1 Top contributor holds 50% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 17d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/557748?v=4)[angeo](/maintainers/angeo)[@angeo](https://github.com/angeo) --- Top Contributors [![TateLyman](https://avatars.githubusercontent.com/u/244852162?v=4)](https://github.com/TateLyman "TateLyman (1 commits)")[![XxXgeoXxX](https://avatars.githubusercontent.com/u/44254165?v=4)](https://github.com/XxXgeoXxX "XxXgeoXxX (1 commits)") --- Tags adobe-commerceagentic-commerceai-agentsgoogle-ucpmagento2magento2-modulephpucpuniversal-commerce-protocolwell-knownmagento2magento 2 moduleai-agentswell-knownangeoagentic commerceaeoucpuniversal-commerce-protocolgoogle-ucp ### Code Quality TestsPHPUnit Static AnalysisPHPStan Type Coverage Yes ### Embed Badge ![Health badge](/badges/angeo-module-ucp/health.svg) ``` [![Health](https://phpackages.com/badges/angeo-module-ucp/health.svg)](https://phpackages.com/packages/angeo-module-ucp) ``` ### Alternatives [mollie/magento2 Mollie Payment Module for Magento 2 1131.8M12](/packages/mollie-magento2)[smile/elasticsuite Magento 2 merchandising and search engine built on ElasticSearch 8054.6M39](/packages/smile-elasticsuite)[run-as-root/magento2-prometheus-exporter Magento2 Prometheus Exporter 68353.9k](/packages/run-as-root-magento2-prometheus-exporter)[loki/magento2-components Core module for defining Alpine.js components with advanced AJAX features 1010.0k22](/packages/loki-magento2-components)[mage-os/module-inventory-reservations-grid Add a grid with the list of inventory reservations. 1512.6k](/packages/mage-os-module-inventory-reservations-grid)[mage-os/module-admin-activity-log The Admin Activity extension makes it easy to track all admin activity with comprehensive audit logging. 293.3k](/packages/mage-os-module-admin-activity-log) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)