IBX-11536: MCP Servers (#3106)

---------

Co-authored-by: adriendupuis <adriendupuis@users.noreply.github.com>
Co-authored-by: Marek Nocoń <mnocon@users.noreply.github.com>
Co-authored-by: Bartek Wajda <bartlomiej.wajda@ibexa.co>
Co-authored-by: Tomasz Dąbrowski <64841871+dabrt@users.noreply.github.com>

Author: 4 people

code_samples/mcp/config/packages/mcp.security.yaml

@@ -0,0 +1,9 @@
+security:
+    firewalls:
+        # …
+        ibexa_jwt_mcp:
+            request_matcher: Ibexa\Mcp\Security\McpRequestMatcher
+            user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
+            provider: ibexa
+            stateless: true
+            jwt: ~

code_samples/mcp/config/packages/mcp.yaml

@@ -0,0 +1,18 @@
+ibexa:
+    repositories:
+        default:
+            mcp:
+                example:
+                    path: /mcp/example
+                    enabled: true
+                    description: 'Example MCP Server'
+                    instructions: 'Use this server to greet someone.'
+                    discovery_cache: cache.tagaware.filesystem
+                    session:
+                        type: psr16
+                        directory: cache.tagaware.filesystem
+    system:
+        default:
+            mcp:
+                servers:
+                    - example

code_samples/mcp/http.mcp.json

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "ibexa-example": {
+      "type": "http",
+      "url": "http://localhost/mcp/example",
+      "headers": {
+        "Authorization": "Bearer <JWT token>"
+      },
+      "tools": ["*"]
+    }
+  }
+}

code_samples/mcp/mcp-ibexa-example-wrapper.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+baseUrl='http://localhost' # Adapt to your test case
+
+jwtToken=$(curl -s -X 'POST' \
+  "$baseUrl/api/ibexa/v2/user/token/jwt" \
+  -H 'Content-Type: application/vnd.ibexa.api.JWTInput+json' \
+  -H 'Accept: application/vnd.ibexa.api.JWT+json' \
+  -d '{
+        "JWTInput": {
+          "_media-type": "application/vnd.ibexa.api.JWTInput+json",
+          "username": "ibexa-example",
+          "password": "Ibexa-3xample"
+        }
+      }' | jq -r .JWT.token)
+
+exec npx -y supergateway \
+  --streamableHttp "$baseUrl/mcp/example" \
+  --oauth2Bearer "$jwtToken" \
+  --logLevel none

code_samples/mcp/mcp.matrix.yaml

@@ -0,0 +1,43 @@
+ibexa:
+    repositories:
+        <repository_identifier>:
+            mcp:
+                <server_identifier>:
+                    path: <server_route_path>
+                    enabled: true
+                    # Server options…
+                    tools:
+                        - Ibexa\Mcp\Tool\TranslationTools
+                        - Ibexa\Mcp\Tool\SeoTools
+                    discovery_cache: <cache_pool_service>
+                    session:
+                        type: <psr16|file|memory>
+                        # Session options…
+                mcp_psr16:
+                    discovery_cache: cache.redis.mcp
+                    session:
+                        type: psr16
+                        service: cache.redis.mcp
+                        prefix: 'mcp_<server_identifier>_'
+                mcp_file:
+                    session:
+                        type: file
+                        directory: '%kernel.cache_dir%/mcp/sessions'
+                mcp_memory:
+                    session:
+                        type: memory
+    system:
+        <siteaccess_scope>:
+            mcp:
+                servers:
+                    - <server_identifier>
+services:
+    cache.redis.mcp:
+        public: true
+        class: Symfony\Component\Cache\Adapter\RedisTagAwareAdapter
+        parent: cache.adapter.redis
+        tags:
+            -   name: cache.pool
+                clearer: cache.app_clearer
+                provider: 'redis://mcp.redis:6379'
+                namespace: 'mcp'

code_samples/mcp/mcp.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+set -e
+set +x
+
+baseUrl='http://localhost' # Adapt to your test case
+username='ibexa-example'
+password='Ibexa-3xample'
+
+curl -s -X 'POST' \
+  "$baseUrl/api/ibexa/v2/user/token/jwt" \
+  -H 'Content-Type: application/vnd.ibexa.api.JWTInput+json' \
+  -H 'Accept: application/vnd.ibexa.api.JWT+json' \
+  -d "{
+        \"JWTInput\": {
+          \"_media-type\": \"application/vnd.ibexa.api.JWTInput+json\",
+          \"username\": \"$username\",
+          \"password\": \"$password\"
+        }
+      }" > response.tmp.txt
+
+cat response.tmp.txt | jq
+jwtToken=$(cat response.tmp.txt | jq -r .JWT.token)
+rm response.tmp.txt
+
+curl -s -i -X 'POST' "$baseUrl/mcp/example" \
+  -H "Authorization: Bearer $jwtToken" \
+  -d '{
+        "jsonrpc": "2.0",
+        "id": 1,
+        "method": "initialize",
+        "params": {
+          "protocolVersion": "2025-03-26",
+          "capabilities": {},
+          "clientInfo": {
+            "name": "test-curl-client",
+            "version": "1.0.0"
+          }
+        }
+      }' > response.tmp.txt
+
+sed '$d' response.tmp.txt
+tail -n 1 response.tmp.txt | jq
+mcpSessionId=$(cat response.tmp.txt | grep 'Mcp-Session-Id:' | sed 's/Mcp-Session-Id: \([0-9a-f-]*\).*/\1/')
+rm response.tmp.txt
+
+curl -s -i -X 'POST' "$baseUrl/mcp/example" \
+  -H "Authorization: Bearer $jwtToken" \
+  -H "Mcp-Session-Id: $mcpSessionId" \
+  -d '{
+        "jsonrpc": "2.0",
+        "method": "notifications/initialized"
+      }'
+
+curl -s -X 'POST' "$baseUrl/mcp/example" \
+  -H "Authorization: Bearer $jwtToken" \
+  -H "Mcp-Session-Id: $mcpSessionId" \
+  -d '{
+        "jsonrpc": "2.0",
+        "id": 2,
+        "method": "tools/list"
+      }' | jq
+
+curl -s -X 'POST' "$baseUrl/mcp/example" \
+  -H "Authorization: Bearer $jwtToken" \
+  -H "Mcp-Session-Id: $mcpSessionId" \
+  -d '{
+        "jsonrpc": "2.0",
+        "id": 3,
+        "method": "tools/call",
+        "params": {
+          "name": "greet",
+          "arguments": {
+            "name": "World"
+          }
+        }
+      }' | jq
+
+curl -s -X 'POST' "$baseUrl/mcp/example" \
+  -H "Authorization: Bearer $jwtToken" \
+  -H "Mcp-Session-Id: $mcpSessionId" \
+  -d '{
+        "jsonrpc": "2.0",
+        "id": 4,
+        "method": "prompts/list"
+      }' | jq
+
+curl -s -X 'POST' "$baseUrl/mcp/example" \
+  -H "Authorization: Bearer $jwtToken" \
+  -H "Mcp-Session-Id: $mcpSessionId" \
+  -d '{
+        "jsonrpc": "2.0",
+        "id": 5,
+        "method": "prompts/get",
+        "params": {
+          "name": "greet",
+          "arguments": {
+            "name": "Firstname Lastname"
+          }
+        }
+      }' | jq

code_samples/mcp/mcp.sh.output.txt

@@ -0,0 +1,187 @@
+{
+  "JWT": {
+    "_media-type": "application/vnd.ibexa.api.JWT+json",
+    "_token": "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz1234567890ABCD.EFGHIJKL-MNOPQRSTUVWXYZ12345678901234567890",
+    "token": "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz1234567890ABCD.EFGHIJKL-MNOPQRSTUVWXYZ12345678901234567890"
+  }
+}
+HTTP/1.1 200 OK
+Access-Control-Allow-Headers: Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, Authorization, Accept
+Access-Control-Allow-Methods: GET, POST, DELETE, OPTIONS
+Access-Control-Allow-Origin: *
+Access-Control-Expose-Headers: Mcp-Session-Id
+Cache-Control: no-cache, private
+Content-Type: application/json
+Date: Tue, 28 Apr 2026 09:53:27 GMT
+Mcp-Session-Id: 12345678-9abc-def0-1234-56789abcdef0
+Server: Apache/2.4.66 (Debian)
+Vary: cookie,authorization
+X-Cache-Debug: 1
+X-Debug-Token: 123456
+X-Debug-Token-Link: http://localhost/_profiler/123456
+X-Powered-By: Ibexa Commerce v5
+X-Robots-Tag: noindex
+Transfer-Encoding: chunked
+
+{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "result": {
+    "protocolVersion": "2025-06-18",
+    "capabilities": {
+      "logging": {},
+      "completions": {},
+      "prompts": {
+        "listChanged": true
+      },
+      "resources": {
+        "listChanged": true
+      },
+      "tools": {
+        "listChanged": true
+      }
+    },
+    "serverInfo": {
+      "name": "example",
+      "version": "1.0.0",
+      "description": "Example MCP Server"
+    },
+    "instructions": "Use this server to greet someone."
+  }
+}
+HTTP/1.1 202 Accepted
+Access-Control-Allow-Headers: Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, Authorization, Accept
+Access-Control-Allow-Methods: GET, POST, DELETE, OPTIONS
+Access-Control-Allow-Origin: *
+Access-Control-Expose-Headers: Mcp-Session-Id
+Cache-Control: no-cache, private
+Content-Length: 0
+Content-Type: text/html; charset=UTF-8
+Date: Fri, 24 Apr 2026 11:16:27 GMT
+Server: Apache/2.4.66 (Debian)
+Vary: cookie,authorization
+X-Cache-Debug: 1
+X-Debug-Token: 7890ab
+X-Debug-Token-Link: http://localhost/_profiler/7890ab
+X-Powered-By: Ibexa Commerce v5
+X-Robots-Tag: noindex
+
+{
+  "jsonrpc": "2.0",
+  "id": 2,
+  "result": {
+    "tools": [
+      {
+        "name": "greet",
+        "inputSchema": {
+          "type": "object",
+          "properties": {
+            "name": {
+              "type": "string",
+              "description": "The name of the person to greet"
+            }
+          },
+          "required": [
+            "name"
+          ]
+        },
+        "description": "Greet a user by name",
+        "annotations": {
+          "readOnlyHint": true,
+          "destructiveHint": false,
+          "idempotentHint": true,
+          "openWorldHint": false
+        },
+        "icons": [
+          {
+            "src": "https://openmoji.org/data/color/svg/1F44B.svg"
+          }
+        ],
+        "outputSchema": {
+          "type": "object",
+          "properties": {
+            "general": {
+              "type": "string",
+              "description": "the safe way to greet someone"
+            },
+            "close": {
+              "type": "string",
+              "description": "when you're close to the person, like friends or relatives"
+            },
+            "morning": {
+              "type": "string",
+              "description": "when it's in the morning"
+            },
+            "afternoon": {
+              "type": "string",
+              "description": "when it's the afternoon"
+            },
+            "evening": {
+              "type": "string",
+              "description": "when it's late in the day"
+            }
+          }
+        }
+      }
+    ]
+  }
+}
+{
+  "jsonrpc": "2.0",
+  "id": 3,
+  "result": {
+    "content": [
+      {
+        "type": "text",
+        "text": "{\n    \"general\": \"Hello, World!\",\n    \"close\": \"Hey, World!\",\n    \"morning\": \"Good morning, World!\",\n    \"afternoon\": \"Good afternoon, World!\",\n    \"evening\": \"Good evening, World!\"\n}"
+      }
+    ],
+    "isError": false,
+    "structuredContent": {
+      "general": "Hello, World!",
+      "close": "Hey, World!",
+      "morning": "Good morning, World!",
+      "afternoon": "Good afternoon, World!",
+      "evening": "Good evening, World!"
+    }
+  }
+}
+{
+  "jsonrpc": "2.0",
+  "id": 4,
+  "result": {
+    "prompts": [
+      {
+        "name": "greet",
+        "description": "Prompt to be greeted by the `greet` tool",
+        "arguments": [
+          {
+            "name": "name",
+            "description": "The name you want to be greeted by",
+            "required": true
+          }
+        ],
+        "icons": [
+          {
+            "src": "https://openmoji.org/data/color/svg/1F91D.svg"
+          }
+        ]
+      }
+    ]
+  }
+}
+{
+  "jsonrpc": "2.0",
+  "id": 5,
+  "result": {
+    "messages": [
+      {
+        "role": "user",
+        "content": {
+          "type": "text",
+          "text": "Hi. My name is Firstname Lastname. Please, greet me."
+        }
+      }
+    ]
+  }
+}