pop-pay

v0.3.2

Published

an hour ago

Point One Percent - Semantic Payment Guardrail for AI Agents. It only takes 0.1% of hallucination to drain 100% of your wallet.

0High
0Medium
0Low

tpemist

ai agent payment guardrail security mcp mcp-server model-context-protocol virtual-card cdp browser-automation checkout

Point One Percent — pop-pay

The runtime security layer for AI agent commerce. Card credentials are injected directly into the browser DOM via CDP — they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.

Getting Started

1. Initialize the credential vault

npx -y pop-pay pop-init-vault

This encrypts your card credentials into ~/.config/pop-pay/vault.enc (AES-256-GCM). The MCP server decrypts automatically at startup.

For stronger protection (recommended — blocks agents with shell access):

npx -y pop-pay pop-init-vault --passphrase   # one-time setup
npx -y pop-pay pop-unlock                     # run once before each session

2. Add to your MCP client

Standard config for any MCP-compatible client:

{
  "mcpServers": {
    "pop-pay": {
      "command": "npx",
      "args": ["-y", "pop-pay", "launch-mcp"],
      "env": {
        "POP_CDP_URL": "http://localhost:9222"
      }
    }
  }
}

Claude Code uses its own CLI — the JSON config above is not needed.

claude mcp add --scope user pop-pay -- npx -y pop-pay launch-mcp

--scope user makes it available across all projects. To remove: claude mcp remove pop-pay

Add the JSON config above to:

Cursor: ~/.cursor/mcp.json
Windsurf: ~/.codeium/windsurf/mcp_config.json
VS Code (Copilot): .vscode/mcp.json in project root

OpenClaw has its own CLI — the JSON config above is not needed.

openclaw mcp add pop-pay -- npx -y pop-pay launch-mcp

Or add to ~/.openclaw/mcp_servers.json using the JSON config above.

For System Prompt templates and NemoClaw sandbox setup, see Integration Guide §4.

docker-compose up -d

Runs the MCP server + headless Chromium with CDP. Mount your encrypted vault from the host.

3. Launch Chrome with CDP and start using

npx -y pop-pay launch

Restart your MCP client. The agent now has access to pop-pay's MCP tools.

MCP Tools

| Tool | Description | |:---|:---| | request_virtual_card | Issue a virtual card and inject credentials into the checkout page via CDP. | | request_purchaser_info | Auto-fill billing/contact info (name, address, email, phone). | | request_x402_payment | Pay for API calls via the x402 HTTP payment protocol. | | page_snapshot | Scan a checkout page for hidden prompt injections or anomalies. |

Tip for Claude Code users: Add the following to your project's CLAUDE.md to help the agent know when to call pop-pay: "When you encounter a payment form or checkout page, use the request_virtual_card tool. For billing/contact info forms, use request_purchaser_info first."

Configuration

Core variables in ~/.config/pop-pay/.env. See ENV_REFERENCE.md for the full list.

| Variable | Default | Description | |---|---|---| | POP_ALLOWED_CATEGORIES | ["aws","cloudflare"] | Approved vendor categories — see Categories Cookbook | | POP_MAX_PER_TX | 100.0 | Max USD per transaction | | POP_MAX_DAILY | 500.0 | Max USD per day | | POP_BLOCK_LOOPS | true | Block hallucination/retry loops | | POP_AUTO_INJECT | true | Enable CDP card injection | | POP_GUARDRAIL_ENGINE | keyword | keyword (zero-cost) or llm (semantic) |

Guardrail Mode

| | keyword (default) | llm | |---|---|---| | Mechanism | Keyword matching on reasoning string | Semantic analysis via LLM | | Cost | Zero — no API calls | One LLM call per request | | Best for | Development, low-risk workflows | Production, high-value transactions |

To enable LLM mode, see Integration Guide §1.

Providers

| Provider | Description | |:---|:---| | BYOC (default) | Bring Your Own Card — encrypted vault credentials, local CDP injection. | | Stripe Issuing | Real virtual cards via Stripe API. Requires POP_STRIPE_KEY. | | Lithic | Multi-issuer adapter (Stripe Issuing / Lithic). | | Mock | Test mode with generated card numbers for development. |

Priority: Stripe Issuing → BYOC Local → Mock.

Security

| Layer | Defense | |---|---| | Context Isolation | Card credentials never enter the agent's context window or logs | | Encrypted Vault | AES-256-GCM with XOR-split salt and native scrypt key derivation (Rust) | | TOCTOU Guard | Domain verified at the moment of CDP injection — blocks redirect attacks | | Repr Redaction | Automatic masking (****-4242) in all MCP responses, logs, and tracebacks |

See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.

Architecture

TypeScript — MCP server, CDP injection engine, guardrails, CLI
Rust (napi-rs) — Native security layer: XOR-split salt storage, scrypt key derivation
Node.js crypto — AES-256-GCM vault encryption (OpenSSL binding)
Chrome DevTools Protocol — Direct DOM injection via raw WebSocket

Documentation

Threat Model — STRIDE analysis, 5 security primitives, 10 attack scenarios
Guardrail Benchmark — 95% accuracy across 20 test scenarios
Compliance FAQ — PCI DSS, SOC 2, GDPR details
Environment Reference — All POP_* environment variables
Integration Guide — Setup for Claude Code, Node.js SDK, and browser agents
Categories Cookbook — POP_ALLOWED_CATEGORIES patterns and examples

License

MIT