magebitcom / magento2-mcp-customer-tools
magebitcom/magento2-mcp-customer-tools
Customer-domain MCP tools for Magebit_Mcp (read + write over customers, addresses, groups, account management)
Magento2 MCP - Customer Tools
This is a sub-module for the Magento2 MCP module
Customer-domain MCP tools for Magebit_Mcp. Reads and writes against
customer accounts, addresses, customer groups, and account management
flows (password reset, confirmation).
Each tool is a thin wrapper over a Magento service contract
(CustomerRepositoryInterface, AddressRepositoryInterface,
GroupRepositoryInterface, AccountManagementInterface) and composes its
read response from field resolvers that 3rd-party modules can extend.
Install
composer require magebitcom/magento2-mcp-customer-tools
bin/magento module:enable Magebit_McpCustomerTools
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento cache:flush
Tool catalog
Read tools
| Tool | What it does |
|---|---|
customer.customer.list |
Paginated customer search; filter by email (exact / glob / array), firstname/lastname substring, group_id, website_id, store_id, created_at range, updated_at range, dob range. |
customer.customer.get |
Single customer by numeric id or by email (+ optional website_id for email lookup in per-website scope). |
customer.address.list |
Paginated address search; filter by customer_id, country_id, region_id, postcode, city, telephone. |
customer.address.get |
Single customer address by id. |
customer.group.list |
Paginated group search; filter by code (exact / glob / array) and tax_class_id. |
customer.group.get |
Single customer group by id. |
customer.account.confirmation_status |
Returns account_confirmed, account_confirmation_required, or account_confirmation_not_required. |
Write tools
All writes require the global magebit_mcp/general/allow_writes flag and
the token's own allow_writes flag to be 1. Destructive operations
additionally set requires_confirmation so MCP clients (Claude Desktop,
etc.) prompt before firing.
| Tool | Confirm? | Delegates to | Underlying ACL |
|---|---|---|---|
customer.customer.create |
yes | AccountManagementInterface::createAccount() |
Magento_Customer::manage |
customer.customer.update |
yes | CustomerRepositoryInterface::save() (PATCH) |
Magento_Customer::manage |
customer.customer.delete |
yes | CustomerRepositoryInterface::delete() |
Magento_Customer::delete |
customer.address.create |
yes | AddressRepositoryInterface::save() |
Magento_Customer::manage |
customer.address.update |
yes | AddressRepositoryInterface::save() (PATCH) |
Magento_Customer::manage |
customer.address.delete |
yes | AddressRepositoryInterface::delete() |
Magento_Customer::manage |
customer.account.reset_password |
yes | AccountManagementInterface::initiatePasswordReset() |
Magento_Customer::reset_password |
customer.account.resend_confirmation |
no | AccountManagementInterface::resendConfirmation() |
Magento_Customer::manage |
Every write tool also implements Magebit\Mcp\Api\UnderlyingAclAwareInterface
so the handler blocks calls from admins who wouldn't be allowed to perform
the same action in the admin UI.
Identity lookups
customer.customer.get, customer.customer.update, customer.customer.delete,
customer.account.confirmation_status accept either id (numeric primary
key) or email. Email lookups take an optional website_id because
customer/account_share/scope may be per-website (the Magento default), in
which case the same address can exist on multiple sites as distinct
accounts.
Address tools are keyed by numeric id only — addresses are unique per
row, not per customer+label.
PII handling
Customer and address records are PII-heavy by design. Every read tool
exposes the fields / exclude arguments so callers can narrow the
payload:
customer.customer.get { fields: ["identity", "scope"] }— just id /
email / website / group.customer.customer.get { exclude: ["addresses", "profile"] }— skip the
full address book and the dob/gender/taxvat triplet.customer.customer.listships with a lean default set (identity,
scope,timestamps) —addresses,custom_attributes, and
extension_attributesare omitted from list responses to avoid
multiplying the payload by the size of each customer's attribute set.
Audit summaries stored in magebit_mcp_audit_log contain identifiers only
(id, email, website_id, row counts) — never the full record.
Extending
See docs/EXTENDING.md for:
- adding a new field to any tool response via
CustomerFieldResolverInterface
/AddressFieldResolverInterface/GroupFieldResolverInterface; - adding a new filter to any list tool via
CustomerFilterTranslatorInterface
/AddressFilterTranslatorInterface/GroupFilterTranslatorInterface; - the ACL layering rules for custom write tools.
License
Released under the MIT License.
Have questions or need help? Contact us at [email protected]
No changelog yet
The vendor hasn't published a changelog. Tagged releases appear in the Versions tab.
Requires 3
| Package | Constraint |
|---|---|
| magebitcom/magento2-mcp-module | * |
| magento/framework | ^103.0 |
| php | >=8.1 |
Compatibility
Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.
Code Quality
Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.
Static analysis
Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.
| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Warning | 35 | 35 warnings (ruleset: Magento2) — 25 auto-fixable with phpcbf |
| PHPMD | Warning | 7 | 7 rule violations (CyclomaticComplexity:3, NPathComplexity:2, ExcessiveClassComplexity:1, TooManyPublicMethods:1) |
| Cpd | Warning | 10 | 10 duplicated chunks spanning 366 total lines (min-lines=5, min-tokens=70) |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |
PHPStan
Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.
Tests
Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.
Unit tests
Integration tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Security
Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.
More from magebitcom
View vendorModule documentation viewer for Magento 2 admin
This module enables Montonio Hirepurchase with Hyva Checkout
Google Analytics 4 MCP tools for Magebit_Mcp — wraps the GA Data and Admin APIs as MCP tools so AI clients can query property metadata, run reports, run realtime reports, and run funnel reports against your store's analytics property.
Magebit Klaviyo extension
Turn an existing module into recurring revenue.
If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.