Labsco
100xPercent logo

pop-pay

β˜… 1

from 100xPercent

Stop AI agents leaking your payment info or making hallucinated purchases. No SaaS, No login, No pain, fully local.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeQuick setup

npm version License: MIT CI Node.js

<p align="center"> <picture> <img src="https://raw.githubusercontent.com/100xPercent/pop-pay-python/main/project_banner.png" alt="Point One Percent (AgentPay)" width="800"> </picture> </p>

Point One Percent β€” pop-pay

<p align="left"><i>it only takes <b>0.1%</b> of Hallucination to drain <b>100%</b> of your wallet.</i></p>

The runtime security layer for AI agent commerce. Drop-in CLI + MCP server. Card credentials are injected directly into the browser DOM via CDP β€” they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.

<p align="center"> <img src="https://raw.githubusercontent.com/100xPercent/pop-pay-python/main/assets/runtime_demo.gif" alt="Point One Percent β€” live CDP injection demo" width="800"> </p>

πŸ“„ Research Dataset & Reproduction β€” this repository hosts the open dataset and reproduction harness for "The Illusion of Single-Attacker Rankings". research: jump to Research Dataset & Reproduction.

MCP Server (optional)

Add to your MCP client

Standard config for any MCP-compatible client:

{
  "mcpServers": {
    "pop-pay": {
      "command": "npx",
      "args": ["-y", "pop-pay", "launch-mcp"],
      "env": {
        "POP_CDP_URL": "http://localhost:9222"
      }
    }
  }
}

<img src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20MCP%20Server&color=0098FF" alt="Install in VS Code"> <img alt="Install in VS Code Insiders" src="https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20MCP%20Server&color=24bfa5"> <img src="https://img.shields.io/badge/Cursor-Cursor?style=flat-square&label=Install%20MCP%20Server&color=5C2D91" alt="Install in Cursor">

<details> <summary>Claude Code</summary>

Claude Code uses its own CLI β€” the JSON config above is not needed.

claude mcp add --scope user pop-pay -- npx -y pop-pay launch-mcp

--scope user makes it available across all projects. To remove: claude mcp remove pop-pay

</details> <details> <summary>Cursor / Windsurf / VS Code</summary>

Add the JSON config above to:

  • Cursor: ~/.cursor/mcp.json
  • Windsurf: ~/.codeium/windsurf/mcp_config.json
  • VS Code (Copilot): .vscode/mcp.json in project root
</details> <details> <summary>OpenClaw / NemoClaw</summary>

OpenClaw has its own CLI β€” the JSON config above is not needed.

openclaw mcp add pop-pay -- npx -y pop-pay launch-mcp

Or add to ~/.openclaw/mcp_servers.json using the JSON config above.

For System Prompt templates and NemoClaw sandbox setup, see Integration Guide Β§4.

</details> <details> <summary>Docker</summary>
docker-compose up -d

Runs the MCP server + headless Chromium with CDP. Mount your encrypted vault from the host.

</details>

MCP Tools

ToolDescription
request_virtual_cardIssue a virtual card and inject credentials into the checkout page via CDP. Automatically scans the page for hidden prompt injections.
request_purchaser_infoAuto-fill billing/contact info (name, address, email, phone). Automatically scans the page for hidden prompt injections.
request_x402_paymentPay for API calls via the x402 HTTP payment protocol.

Tip for Claude Code users: Add the following to your project's CLAUDE.md to help the agent know when to call pop-pay: "When you encounter a payment form or checkout page, use the request_virtual_card tool. For billing/contact info forms, use request_purchaser_info first."

Providers

ProviderDescription
BYOC (default)Bring Your Own Card β€” encrypted vault credentials, local CDP injection.
Stripe IssuingReal virtual cards via Stripe API. Requires POP_STRIPE_KEY.
LithicMulti-issuer adapter (Stripe Issuing / Lithic).
MockTest mode with generated card numbers for development.

Priority: Stripe Issuing β†’ BYOC Local β†’ Mock.

Security

LayerDefense
Context IsolationCard credentials never enter the agent's context window or logs
Encrypted VaultAES-256-GCM with XOR-split salt and native scrypt key derivation (Rust)
TOCTOU GuardDomain verified at the moment of CDP injection β€” blocks redirect attacks
Repr RedactionAutomatic masking (****-4242) in all MCP responses, logs, and tracebacks

See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.

Architecture

  • TypeScript β€” MCP server, CDP injection engine, guardrails, CLI
  • Rust (napi-rs) β€” Native security layer: XOR-split salt storage, scrypt key derivation
  • Node.js crypto β€” AES-256-GCM vault encryption (OpenSSL binding)
  • Chrome DevTools Protocol β€” Direct DOM injection via raw WebSocket

Documentation

Research Dataset & Reproduction

This repository hosts the open-source dataset and harness for the cross-vendor attacker-stability methodology described in the corresponding research paper. Reviewer/researcher reproduction artifacts:

  • Corpus (585 attack payloads, 11 categories): tests/redteam/corpus/
    • attacks.json β€” full payload set with category labels
    • GENERATION.md β€” corpus generation protocol
    • schema.json β€” payload schema
  • Run JSONLs (26,325 rows, 9 models Γ— 585 payloads Γ— N=5): tests/redteam/runs/
    • PRIMARY whitebox-no-feedback runs: runs/adaptive/2026-04-28T19-50-*
    • Static panel runs: runs/static/
    • Prompt-ablation (v3 / strict / paranoid): runs/ablation/
  • Manifest hashes: tests/redteam/runs/MANIFEST.sha256 β€” byte-level integrity for all artifacts
  • Croissant 1.0 metadata (Core + RAI fields): paper-artifacts/croissant.json
  • Reproduction scripts (regenerate paper tables/figures from JSONL):
    • python3 paper-artifacts/gen-tables.py --table all β€” Tab.~bypassk / threat-ablation / cross-vendor
    • python3 paper-artifacts/gen-taxonomy-map.py β€” Fig.~taxonomy-map
  • License: corpus CC BY-SA 4.0, harness MIT.

For dataset schema, statistical methodology (bootstrap CI, Holm-Bonferroni, McNemar), full from-scratch re-collection instructions, JSONL row data dictionary, and responsible-disclosure policy, see docs/PAPER_REPRODUCTION.md.

License

MIT