Reference

Verification & test results

Last verified locally against the Dockware container shopware-ucp and the

UCP Test Results

Last verified locally against the Dockware container shopware-ucp and the local UCP Simulator on localhost:4100.

Summary

Test area	Scope	Result
PHPUnit unit tests	UCP core + AP2 plugin parser tests	Passed: `104 tests, 165 assertions`
Direct REST smoke	Catalog product, cart, checkout, order placement	Passed
Direct MCP smoke	`get_product`, cart, checkout, order placement	Passed
Simulator matrix	All scenarios once via REST and once via MCP	Passed: `34/34`
Official UCP conformance	Upstream `Universal-Commerce-Protocol/conformance` Python suite	Passed: `TOTAL=13 FAILURES=0`

A. Unit And Integration-Level Tests

Command executed in the Dockware container:

bash

docker exec shopware-ucp /tmp/phpunit-runner/vendor/bin/phpunit \
  --bootstrap /tmp/phpunit-runner/bootstrap.php \
  --colors=never \
  /var/www/html/tests/unit/Core/Framework/Ucp \
  /var/www/html/custom/plugins/SwagUcpAp2Mandates/tests

Result:

text

PHPUnit 11.5.55, PHP 8.3.25
OK (104 tests, 165 assertions)

Test file	What it verifies	Result
`tests/unit/Core/Framework/Ucp/Capability/Attribution/AttributionExtractorTest.php`	UCP attribution input normalization and response echo behavior.	Passed
`tests/unit/Core/Framework/Ucp/Capability/CapabilityNegotiatorTest.php`	Capability intersection, version matching, and extension pruning.	Passed
`tests/unit/Core/Framework/Ucp/Capability/CapabilityRegistryTest.php`	Capability registration and lookup behavior.	Passed
`tests/unit/Core/Framework/Ucp/Capability/Catalog/CursorCodecTest.php`	Opaque cursor HMAC signing, TTL, query binding, and tamper rejection.	Passed
`tests/unit/Core/Framework/Ucp/Capability/Checkout/CheckoutStatusResolverTest.php`	Checkout status and message mapping from Shopware cart state.	Passed
`tests/unit/Core/Framework/Ucp/Capability/IdentityLinking/Auth/ClientAuthenticatorSecurityTest.php`	OAuth client auth security, especially `private_key_jwt` replay handling.	Passed
`tests/unit/Core/Framework/Ucp/Capability/Signals/SignalsExtractorTest.php`	Rejection of untrusted platform signals on unsigned/unverified requests.	Passed
`tests/unit/Core/Framework/Ucp/DependencyInjection/UcpCapabilityCompilerPassTest.php`	DI compiler-pass wiring for UCP capabilities.	Passed
`tests/unit/Core/Framework/Ucp/Discovery/SupportedVersionsRegistryTest.php`	Historical version support map generation.	Passed
`tests/unit/Core/Framework/Ucp/Idempotency/IdempotencyStoreTest.php`	Idempotency key fingerprinting, replay, conflict, and stale claim behavior.	Passed
`tests/unit/Core/Framework/Ucp/Jwt/EcKeyGeneratorTest.php`	EC JWK generation and signature conversion helpers.	Passed
`tests/unit/Core/Framework/Ucp/Jwt/JsonCanonicalizationTest.php`	JCS/RFC 8785 deterministic JSON canonicalization for signatures.	Passed
`tests/unit/Core/Framework/Ucp/Profile/PlatformProfileValidatorTest.php`	Platform profile schema and structural validation.	Passed
`tests/unit/Core/Framework/Ucp/Security/KeyMaterialGuardTest.php`	Redaction of key material from logs/debug contexts.	Passed
`tests/unit/Core/Framework/Ucp/Security/PrivateKeyEncryptorTest.php`	Private key encryption/decryption behavior.	Passed
`tests/unit/Core/Framework/Ucp/Transport/A2A/A2AMessageTranslatorTest.php`	A2A structured data actions to UCP tool intents.	Passed
`tests/unit/Core/Framework/Ucp/Transport/Embedded/EmbeddedControllerSecurityTest.php`	Embedded origin handling and no wildcard postMessage fallback.	Passed
`tests/unit/Core/Framework/Ucp/Transport/Rest/UcpAgentHeaderTest.php`	`UCP-Agent` structured header parsing.	Passed
`tests/unit/Core/Framework/Ucp/Transport/Signature/ContentDigestCalculatorTest.php`	RFC 9530 content digest calculation and verification.	Passed
`tests/unit/Core/Framework/Ucp/Transport/Signature/Rfc9421RoundtripTest.php`	HTTP Message Signature signing and verification round-trip.	Passed
`tests/unit/Core/Framework/Ucp/Transport/Signature/Rfc9421SecurityTest.php`	RFC 9421 negative/security cases such as duplicate key IDs and replay guard.	Passed
`tests/unit/Core/Framework/Ucp/Transport/Signature/SignatureInputParserTest.php`	Signature-Input parsing behavior.	Passed
`tests/unit/Core/Framework/Ucp/UcpExceptionTest.php`	UCP exception factories, error codes, and response mapping.	Passed
`tests/unit/Core/Framework/Ucp/UcpVersionTest.php`	UCP version string validation and current/historical version handling.	Passed
`custom/plugins/SwagUcpAp2Mandates/tests/Unit/Service/SdJwtParserTest.php`	AP2 SD-JWT envelope parsing and malformed input rejection.	Passed

B. Direct End-To-End Tests

These tests were run directly against http://localhost:8080 with Shopware in Docker, independent of the browser UI.

Test	What was exercised	Result
Direct REST catalog product lookup	`POST /ucp/v1/catalog/search`, `POST /ucp/v1/catalog/product`, SKU/ProductNumber resolution.	Passed
Direct REST checkout	`POST /carts`, `POST /checkout-sessions`, `POST /checkout-sessions/{id}/complete`; produced a real Shopware order.	Passed
Direct MCP tool listing	`POST /ucp/mcp` `tools/list`; verified spec tool names `lookup_catalog` and `get_product`.	Passed
Direct MCP checkout	MCP `get_product`, `create_cart`, `create_checkout`, `complete_checkout`; produced a real Shopware order.	Passed
Direct conformance fixture smoke	`bouquet_roses` lookup and checkout creation using `request-signature: test`; verified `USD`, item ID, and `3500` minor-unit total.	Passed

C. Simulator Scenario Tests

Command pattern used:

bash

curl -s -X POST http://localhost:4100/api/run \
  -H 'Content-Type: application/json' \
  -d '{"businessUrl":"http://localhost:8080","transport":"rest","scenarioId":"checkout.happy-path"}'

Each scenario was run once with transport=rest and once with transport=mcp.

Result:

text

34 passed / 34 total

Category	Scenario	What it verifies	REST	MCP
Discovery	`discovery.basic`	`/.well-known/ucp`, profile parsing, capability negotiation.	Passed	Passed
Discovery	`discovery.version-pin`	`supported_versions` lookup and version-pinned profile behavior.	Passed	Passed
Catalog	`catalog.search.basic`	Text search through catalog search.	Passed	Passed
Catalog	`catalog.search.browse`	Filter-only browse with price filters.	Passed	Passed
Catalog	`catalog.cursor-pagination`	Cursor pagination, no duplicate pages, tamper rejection, cross-query rejection.	Passed	Passed
Catalog	`catalog.lookup`	Batch product lookup by IDs using REST lookup and MCP `lookup_catalog`.	Passed	Passed
Cart	`cart.full-lifecycle`	Cart create, update quantity, cancel.	Passed	Passed
Cart	`cart.multi-item`	Multi-item cart totals and line-item handling.	Passed	Passed
Checkout	`checkout.happy-path`	Cart to checkout to complete order.	Passed	Passed
Checkout	`checkout.cart-conversion-idempotent`	Same `cart_id` produces the same checkout session.	Passed	Passed
Extensions	`extension.discount`	Spec `discounts.codes` flow and applied-discount response.	Passed	Passed
Extensions	`extension.ap2-mandate`	AP2 compact-JWS mandate, merchant authorization verification, complete checkout.	Passed	Passed
Extensions	`extension.ap2-sd-jwt`	AP2 SD-JWT VC + Key-Binding mandates with `sd_hash` binding.	Passed	Passed
Identity	`identity.oauth-discover`	OAuth authorization-server metadata and PKCE/issuer fields.	Passed	Passed
Identity	`identity.oauth-initiate`	Authorization URL generation for identity linking.	Passed	Passed
Webhooks	`webhook.listener-only`	Simulator webhook listener discovery and URL publication.	Passed	Passed
Compliance	`compliance.full-suite`	Runs every applicable simulator scenario in sequence.	Passed	Passed

D. Official UCP Repository Tests

Source: upstream Universal-Commerce-Protocol/conformance, cloned temporarily under /tmp/ucp-conformance. The suite was installed with uv and run against the local Dockware shop.

Command pattern:

bash

uv run <test_file> \
  --server_url=http://localhost:8080 \
  --simulation_secret=local-sim-secret \
  --conformance_input=test_data/flower_shop/conformance_input.json

The Shopware conformance run used:

UCP_CONFORMANCE_MODE=1 to enable the non-production test bridge.
UCP_SIMULATION_SECRET=local-sim-secret for simulation endpoints.
bin/console ucp:conformance:seed for the upstream flower_shop fixture.

Result:

text

TOTAL=13 FAILURES=0

Official test file	What it verifies	Result
`ap2_test.py`	AP2 mandate completion flow.	Passed
`binding_test.py`	Token binding completion flow.	Passed
`business_logic_test.py`	Totals, quantity recalculation, discount codes, buyer info and buyer consent persistence.	Passed
`card_credential_test.py`	Card credential payment flow.	Passed
`checkout_lifecycle_test.py`	Checkout create/read/update/cancel/complete lifecycle and terminal-state rejection.	Passed
`fulfillment_test.py`	Fulfillment destinations, option generation, address selection, free shipping and address persistence.	Passed
`idempotency_test.py`	Idempotent create/update/complete/cancel and conflict detection.	Passed
`invalid_input_test.py`	Invalid order adjustment payloads and unknown discount code behavior.	Passed
`order_test.py`	Order retrieval, checkout ID reconciliation, fulfillment expectations, events and adjustments.	Passed
`protocol_test.py`	Discovery profile shape and protocol version negotiation.	Passed, with `test_discovery_urls` skipped upstream because schemas are not published remotely.
`simulation_url_security_test.py`	Simulation endpoint secret requirements.	Passed
`validation_test.py`	Out-of-stock, unknown product, payment failure, missing fulfillment and structured errors.	Passed
`webhook_test.py`	`order_placed` and `order_shipped` webhooks and fulfillment address payloads.	Passed

Final Verification Commands

Additional final checks:

bash

docker exec shopware-ucp /tmp/phpunit-runner/vendor/bin/phpunit \
  --bootstrap /tmp/phpunit-runner/bootstrap.php \
  --colors=never \
  /var/www/html/tests/unit/Core/Framework/Ucp \
  /var/www/html/custom/plugins/SwagUcpAp2Mandates/tests

bash

cd simulator
npm run typecheck

Both commands passed, and IDE lints reported no errors in the edited UCP, AP2, simulator, or documentation paths.