
Point One Percent β pop-pay
<p align="left"><i>it only takes <b>0.1%</b> of Hallucination to drain <b>100%</b> of your wallet.</i></p>The runtime security layer for AI agent commerce. Drop-in CLI + MCP server. Card credentials are injected directly into the browser DOM via CDP β they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.
<p align="center"> <img src="https://raw.githubusercontent.com/100xPercent/pop-pay-python/main/assets/runtime_demo.gif" alt="Point One Percent β live CDP injection demo" width="800"> </p>π Research Dataset & Reproduction β this repository hosts the open dataset and reproduction harness for "The Illusion of Single-Attacker Rankings". research: jump to Research Dataset & Reproduction.
MCP Server (optional)
Add to your MCP client
Standard config for any MCP-compatible client:
{
"mcpServers": {
"pop-pay": {
"command": "npx",
"args": ["-y", "pop-pay", "launch-mcp"],
"env": {
"POP_CDP_URL": "http://localhost:9222"
}
}
}
}<img src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20MCP%20Server&color=0098FF" alt="Install in VS Code"> <img alt="Install in VS Code Insiders" src="https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20MCP%20Server&color=24bfa5"> <img src="https://img.shields.io/badge/Cursor-Cursor?style=flat-square&label=Install%20MCP%20Server&color=5C2D91" alt="Install in Cursor">
<details> <summary>Claude Code</summary>Claude Code uses its own CLI β the JSON config above is not needed.
claude mcp add --scope user pop-pay -- npx -y pop-pay launch-mcp--scope user makes it available across all projects. To remove: claude mcp remove pop-pay
Add the JSON config above to:
- Cursor:
~/.cursor/mcp.json - Windsurf:
~/.codeium/windsurf/mcp_config.json - VS Code (Copilot):
.vscode/mcp.jsonin project root
OpenClaw has its own CLI β the JSON config above is not needed.
openclaw mcp add pop-pay -- npx -y pop-pay launch-mcpOr add to ~/.openclaw/mcp_servers.json using the JSON config above.
For System Prompt templates and NemoClaw sandbox setup, see Integration Guide Β§4.
</details> <details> <summary>Docker</summary>docker-compose up -dRuns the MCP server + headless Chromium with CDP. Mount your encrypted vault from the host.
</details>MCP Tools
| Tool | Description |
|---|---|
request_virtual_card | Issue a virtual card and inject credentials into the checkout page via CDP. Automatically scans the page for hidden prompt injections. |
request_purchaser_info | Auto-fill billing/contact info (name, address, email, phone). Automatically scans the page for hidden prompt injections. |
request_x402_payment | Pay for API calls via the x402 HTTP payment protocol. |
Tip for Claude Code users: Add the following to your project's
CLAUDE.mdto help the agent know when to call pop-pay: "When you encounter a payment form or checkout page, use therequest_virtual_cardtool. For billing/contact info forms, userequest_purchaser_infofirst."
Providers
| Provider | Description |
|---|---|
| BYOC (default) | Bring Your Own Card β encrypted vault credentials, local CDP injection. |
| Stripe Issuing | Real virtual cards via Stripe API. Requires POP_STRIPE_KEY. |
| Lithic | Multi-issuer adapter (Stripe Issuing / Lithic). |
| Mock | Test mode with generated card numbers for development. |
Priority: Stripe Issuing β BYOC Local β Mock.
Security
| Layer | Defense |
|---|---|
| Context Isolation | Card credentials never enter the agent's context window or logs |
| Encrypted Vault | AES-256-GCM with XOR-split salt and native scrypt key derivation (Rust) |
| TOCTOU Guard | Domain verified at the moment of CDP injection β blocks redirect attacks |
| Repr Redaction | Automatic masking (****-4242) in all MCP responses, logs, and tracebacks |
See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.
Architecture
- TypeScript β MCP server, CDP injection engine, guardrails, CLI
- Rust (napi-rs) β Native security layer: XOR-split salt storage, scrypt key derivation
- Node.js crypto β AES-256-GCM vault encryption (OpenSSL binding)
- Chrome DevTools Protocol β Direct DOM injection via raw WebSocket
Documentation
- Threat Model β STRIDE analysis, 5 security primitives, 10 attack scenarios
- Guardrail Benchmark β Cross-model evaluation (Anthropic / OpenAI / Gemini) across 585 payloads, 11 attack categories
- Compliance FAQ β PCI DSS, SOC 2, GDPR details
- Environment Reference β All POP_* environment variables
- Integration Guide β Setup for Claude Code, Node.js SDK, and browser agents
- Categories Cookbook β POP_ALLOWED_CATEGORIES patterns and examples
Research Dataset & Reproduction
This repository hosts the open-source dataset and harness for the cross-vendor attacker-stability methodology described in the corresponding research paper. Reviewer/researcher reproduction artifacts:
- Corpus (585 attack payloads, 11 categories):
tests/redteam/corpus/attacks.jsonβ full payload set with category labelsGENERATION.mdβ corpus generation protocolschema.jsonβ payload schema
- Run JSONLs (26,325 rows, 9 models Γ 585 payloads Γ N=5):
tests/redteam/runs/- PRIMARY whitebox-no-feedback runs:
runs/adaptive/2026-04-28T19-50-* - Static panel runs:
runs/static/ - Prompt-ablation (v3 / strict / paranoid):
runs/ablation/
- PRIMARY whitebox-no-feedback runs:
- Manifest hashes:
tests/redteam/runs/MANIFEST.sha256β byte-level integrity for all artifacts - Croissant 1.0 metadata (Core + RAI fields):
paper-artifacts/croissant.json - Reproduction scripts (regenerate paper tables/figures from JSONL):
python3 paper-artifacts/gen-tables.py --table allβ Tab.~bypassk / threat-ablation / cross-vendorpython3 paper-artifacts/gen-taxonomy-map.pyβ Fig.~taxonomy-map
- License: corpus CC BY-SA 4.0, harness MIT.
For dataset schema, statistical methodology (bootstrap CI, Holm-Bonferroni, McNemar), full from-scratch re-collection instructions, JSONL row data dictionary, and responsible-disclosure policy, see docs/PAPER_REPRODUCTION.md.
License
MIT
brew install 100xpercent/tap/pop-payBefore it works, you'll need: POP_CDP_URL
Install
Choose your preferred method:
<details> <summary>Homebrew (macOS)</summary>brew install 100xpercent/tap/pop-paycurl -fsSL https://raw.githubusercontent.com/100xPercent/pop-pay/main/install.sh | shnpm install -g pop-paynpx -y pop-pay <command>All install paths expose the same binaries: pop-pay, pop-launch, pop-init-vault, pop-unlock.
Also available as
@100xpercent/mcp-server-pop-payβ identical package under the MCP@scope/mcp-server-<name>convention. Tracks the same version on every release.
Using Python? Check out pop-pay-python β
pip install pop-pay. Same security model, same vault format, independent release cycle β safe to switch between runtimes.
Quick Start (CLI)
1. Initialize the encrypted credential vault
pop-pay init-vaultThis encrypts your card credentials into ~/.config/pop-pay/vault.enc (AES-256-GCM). For stronger protection (blocks agents with shell access):
pop-pay init-vault --passphrase # one-time setup
pop-pay unlock # run once per session2. Launch Chrome with CDP remote debugging
pop-pay launchThis opens a Chromium instance on http://localhost:9222 that pop-pay injects credentials into. Your agent (via MCP, browser automation, or x402) then drives the checkout flow β card details never leave the browser process.
3. Plug into your agent
The CLI launches infrastructure; the actual payment tool calls come from your agent. Two supported paths:
- MCP server β add pop-pay to any MCP-compatible client (Claude Code, Cursor, Windsurf, OpenClaw). See MCP Server below.
- x402 HTTP β pay for API calls via the x402 payment protocol.
Full CLI reference: pop-pay --help.
Configuration
Core variables in ~/.config/pop-pay/.env. See ENV_REFERENCE.md for the full list.
| Variable | Default | Description |
|---|---|---|
POP_ALLOWED_CATEGORIES | ["aws","cloudflare"] | Approved vendor categories β see Categories Cookbook |
POP_MAX_PER_TX | 100.0 | Max USD per transaction |
POP_MAX_DAILY | 500.0 | Max USD per day |
POP_BLOCK_LOOPS | true | Block hallucination/retry loops |
POP_AUTO_INJECT | true | Enable CDP card injection |
POP_GUARDRAIL_ENGINE | keyword | keyword (zero-cost) or llm (semantic) |
Guardrail Mode
keyword (default) | llm | |
|---|---|---|
| Mechanism | Keyword matching on reasoning string | Semantic analysis via LLM |
| Cost | Zero β no API calls | One LLM call per request |
| Best for | Development, low-risk workflows | Production, high-value transactions |
To enable LLM mode, see Integration Guide Β§1.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.