Point One Percent — pop-pay
it only takes 0.1% of Hallucination to drain 100% of your wallet.
The runtime security layer for AI agent commerce. Card credentials are injected directly into the browser DOM via CDP — they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.
Getting Started
1. Initialize the credential vault
npx -y pop-pay pop-init-vault
This encrypts your card credentials into ~/.config/pop-pay/vault.enc (AES-256-GCM). The MCP server decrypts automatically at startup.
For stronger protection (recommended — blocks agents with shell access):
npx -y pop-pay pop-init-vault --passphrase # one-time setup
npx -y pop-pay pop-unlock # run once before each session
2. Add to your MCP client
Standard config for any MCP-compatible client:
{
"mcpServers": {
"pop-pay": {
"command": "npx",
"args": ["-y", "pop-pay", "launch-mcp"],
"env": {
"POP_CDP_URL": "http://localhost:9222"
}
}
}
}
Claude Code uses its own CLI — the JSON config above is not needed.
claude mcp add --scope user pop-pay -- npx -y pop-pay launch-mcp
--scope user makes it available across all projects. To remove: claude mcp remove pop-pay
Add the JSON config above to:
- Cursor:
~/.cursor/mcp.json - Windsurf:
~/.codeium/windsurf/mcp_config.json - VS Code (Copilot):
.vscode/mcp.jsonin project root
OpenClaw has its own CLI — the JSON config above is not needed.
openclaw mcp add pop-pay -- npx -y pop-pay launch-mcp
Or add to ~/.openclaw/mcp_servers.json using the JSON config above.
For System Prompt templates and NemoClaw sandbox setup, see Integration Guide §4.
Dockerdocker-compose up -d
Runs the MCP server + headless Chromium with CDP. Mount your encrypted vault from the host.
3. Launch Chrome with CDP and start using
npx -y pop-pay launch
Restart your MCP client. The agent now has access to pop-pay's MCP tools.
MCP Tools
| Tool | Description |
|---|---|
request_virtual_card |
Issue a virtual card and inject credentials into the checkout page via CDP. Automatically scans the page for hidden prompt injections. |
request_purchaser_info |
Auto-fill billing/contact info (name, address, email, phone). Automatically scans the page for hidden prompt injections. |
request_x402_payment |
Pay for API calls via the x402 HTTP payment protocol. |
Tip for Claude Code users: Add the following to your project's
CLAUDE.mdto help the agent know when to call pop-pay:"When you encounter a payment form or checkout page, use therequest_virtual_cardtool. For billing/contact info forms, userequest_purchaser_infofirst."
Configuration
Core variables in ~/.config/pop-pay/.env. See ENV_REFERENCE.md for the full list.
| Variable | Default | Description |
|---|---|---|
POP_ALLOWED_CATEGORIES |
["aws","cloudflare"] |
Approved vendor categories — see Categories Cookbook |
POP_MAX_PER_TX |
100.0 |
Max USD per transaction |
POP_MAX_DAILY |
500.0 |
Max USD per day |
POP_BLOCK_LOOPS |
true |
Block hallucination/retry loops |
POP_AUTO_INJECT |
true |
Enable CDP card injection |
POP_GUARDRAIL_ENGINE |
keyword |
keyword (zero-cost) or llm (semantic) |
Guardrail Mode
keyword (default) |
llm |
|
|---|---|---|
| Mechanism | Keyword matching on reasoning string | Semantic analysis via LLM |
| Cost | Zero — no API calls | One LLM call per request |
| Best for | Development, low-risk workflows | Production, high-value transactions |
To enable LLM mode, see Integration Guide §1.
Providers
| Provider | Description |
|---|---|
| BYOC (default) | Bring Your Own Card — encrypted vault credentials, local CDP injection. |
| Stripe Issuing | Real virtual cards via Stripe API. Requires POP_STRIPE_KEY. |
| Lithic | Multi-issuer adapter (Stripe Issuing / Lithic). |
| Mock | Test mode with generated card numbers for development. |
Priority: Stripe Issuing → BYOC Local → Mock.
Security
| Layer | Defense |
|---|---|
| Context Isolation | Card credentials never enter the agent's context window or logs |
| Encrypted Vault | AES-256-GCM with XOR-split salt and native scrypt key derivation (Rust) |
| TOCTOU Guard | Domain verified at the moment of CDP injection — blocks redirect attacks |
| Repr Redaction | Automatic masking (****-4242) in all MCP responses, logs, and tracebacks |
See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.
Architecture
- TypeScript — MCP server, CDP injection engine, guardrails, CLI
- Rust (napi-rs) — Native security layer: XOR-split salt storage, scrypt key derivation
- Node.js crypto — AES-256-GCM vault encryption (OpenSSL binding)
- Chrome DevTools Protocol — Direct DOM injection via raw WebSocket
Documentation
- Threat Model — STRIDE analysis, 5 security primitives, 10 attack scenarios
- Guardrail Benchmark — 95% accuracy across 20 test scenarios
- Compliance FAQ — PCI DSS, SOC 2, GDPR details
- Environment Reference — All POP_* environment variables
- Integration Guide — Setup for Claude Code, Node.js SDK, and browser agents
- Categories Cookbook — POP_ALLOWED_CATEGORIES patterns and examples
License
MIT
